Bill C-475 (Historical)

Mr. Speaker, I am pleased to speak to the bill. I have two questions for the member.

The member's bill would empower the Federal Court to impose fines of non-compliance with an enforcement order by the Privacy Commissioner. Why would we not have an opportunity for the Privacy Commissioner herself to impose fines rather than having to go through the Federal Court?

Recently the Privacy Commissioner released a white paper on a similar topic. How does the member's bill compare to the white paper that the commissioner released today?

Mr. Speaker, I thank my colleague who also worked very hard. He studied social networks and privacy with us in committee.

With respect to his first question, I would say that it is a private member's bill and therefore cannot incur costs or expenditures. That is a short answer to an interesting question.

In response to his second question, the Privacy Commissioner released a report today indicating the changes she would like to see in the law protecting privacy. She has some excellent suggestions, which correspond exactly to what I am proposing in my bill.

There is real consensus among experts on the protection of privacy and the Office of the Privacy Commissioner. These measures have the support of a substantial portion of the population. We must move forward with these measures.

Mr. Speaker, what is concerning about Bill C-12, which the government has brought forward, is that it actually lowers the standards for the protection of privacy rights in this country. It allows a subjective test for companies that are dealing with a data breach. The threshold now is that a company assesses significant risk before it informs citizens. It is as if the government is trying to create a hackers' paradise in Canada. It has no standards for defending private information when it is lost in its offices. It does not inform the Privacy Commissioner.

The Privacy Commissioner has said that the government's bill is insufficient for protecting the privacy rights of Canadians. Given the serious issues of identity theft and hackers, I would ask my honourable colleague this: In light of what the Privacy Commissioner has come out with today about the need for order-making powers and the authority to protect privacy data from hacking, how does she compare what she is trying to do with her bill, which is address the protection of privacy data in the age of big data, with the government, which is creating such a loophole that almost any company playing loosey-goosey with the privacy rights of Canadians would be able to slip through? It seems that the government would prefer to protect the bad apples than protect Canadian citizens.

Mr. Speaker, I would like to thank my colleague who also works very hard on the protection of personal information.

As I pointed out in my speech, the bill introduced by the government dates back to 2007. It is no longer pertinent or practical and does not address the risks that are present today, in the digital age, in 2013. The threshold proposed by the Conservatives is very subjective. It would allow organizations to carry out their own assessment of the situation and the risk present even though these organizations are often not in the best position to carry out such assessments.

I am proposing that, when there is a risk, all organizations report it to the commissioner. It will then be up to the commissioner to examine the risk and the loss of data and to decide whether the risk of harm is serious or not. That is what we must implement.

I invite all members of the House to bring our privacy protection laws into the digital age to ensure that they address clear and present risks.

Mr. Speaker, I am pleased to rise today to speak to private member's Bill C-475.

I thank the hon. member for the opportunity to discuss our government's approach to protecting Canadians from data breaches. This issue is one of many the government has committed to addressing in its own bill to update the Personal Information Protection and Electronics Documents Act, namely Bill C-12, which is currently awaiting second reading.

I wish to point out that the data breach notification regime proposed in Bill C-475 takes a starkly different approach than that in Bill C-12. Bill C-475 requires organizations to first notify the Privacy Commissioner of every potential data breach, regardless of context or remoteness. The Privacy Commissioner must then determine whether affected individuals should be notified. Given the potential number of breaches that could be reported, such a regime would increase costs and burdensome compliance procedures for Canadian businesses and would impose an unwieldy financial and administrative burden on the Office of the Privacy Commissioner, generating more costs than benefits for taxpayers.

In contrast to the approach in Bill C-475, Bill C-12 requires that organizations determine whether a breach of personal information poses a real risk of significant harm to individuals. The organization experiencing the breach is in the best position to understand and assess the risks and decide quickly what should be done to protect individuals without delay. With appropriate oversight by the Privacy Commissioner, the responsibility should rest with the organization experiencing the breach. Bill C-12 also requires an organization to report a potential breach to the Privacy Commissioner when there is real risk of significant harm.

The Privacy Commissioner retains oversight of the notification process and would have the option of initiating an investigation if it were believed that notification was not done properly or did not occur when it was required. This also provides her office with information on the nature and number of breaches that have occurred.

There are other differences between the approaches to notification taken in the two bills. Bill C-475 states two factors that are to be used by an organization when determining whether to report a breach to the Office of the Privacy Commissioner. These factors are the sensitivity of the information and the number of individuals impacted by the breach. The use of only these two factors to determine risk related to a breach does not allow for consideration of circumstances to determine if a potential breach could be harmful.

This approach in Bill C-475 to determine whether to report a breach to the commissioner would also not capture breaches impacting only one or a few individuals, even where there is a high risk of significant harm to those individuals. This leaves a large portion of potentially harmful incidents outside of the legislation.

By contrast, Bill C-12 lays out different factors for determining whether a breach poses a real risk of harm, namely the sensitivity of the information and the potential for the misuse of that information. This requires the organization to assess all the circumstances around the breach, including, for example, whether the information was encrypted, whether it was fully recovered, or whether the circumstances suggest criminal involvement. All of these issues must be considered when determining the risk related to a particular data breach. If not, we run the risk of not capturing all harmful breaches or of focusing on capturing too many remote potential breaches, thereby increasing the burden on organizations and quite possibly reducing the commissioner's capacity for dealing with those that would cause harm.

Under Bill C-475, the proposed threshold to be used by the Privacy Commissioner for determining whether to order an organization to notify individuals is “appreciable risk of harm”. This term is ambiguous and is not defined in the bill. It is therefore not clear what type of breaches this threshold is meant to capture.

The manner of notification to individuals required by Bill C-475 is stated as “...clear and delivered directly...in the prescribed form and manner”. However, there are no details provided on what that form and manner would entail. Furthermore, the bill would not provide for regulation-making power to address this. PIPEDA applies to a very broad range of organizations of all sizes to ensure the timely notification of individuals. The means of notification imposed by any legislative requirement should be flexible enough to accommodate the varying circumstances in which these organizations find themselves.

For example, Bill C-12 would allow organizations to use means of notification such as website notices or paid advertisements, where necessary. This can be an important tool in situations where there is a large group of individuals who have not provided their current contact details, for instance. Organizations need access to every method available to reach those concerned in a timely manner. The new requirement proposed by Bill C-475 would create considerable uncertainty and would be burdensome and costly for organizations. In the U.S., where this issue is tracked annually, the average cost to an organization of a single notification is estimated to be $194. The average total cost to an organization for a data breach is approximately $5.5 million. As entrepreneurs in our communities strive to grow our economy and create jobs for Canadian families, we should take care to examine more efficient alternatives to ineffective procedures. These new requirements might even diminish the value of notification because of notification fatigue, causing individuals to ignore the numerous notices they receive. Bill C-475 would thus undermine its own purpose.

In summary, the opposition's approach in Bill C-475 would impose an administrative burden on the Privacy Commissioner and a financial burden on organizations and would impede timely disclosure of data breaches to individuals. Bill C-475 also does not define key terms adequately and does not capture many potentially harmful breaches, such as those involving a small number of individuals.

The notification regime proposed under Bill C-12, on the other hand, is a careful, risk-based approach that would balance the need for notification to individuals with the cost of notification. The comprehensive approach of Bill C-12 could be applied to the vast range of circumstances and considerations faced by the various types of businesses, both large and small, that are subject to our federal private-sector privacy legislation.

I would therefore urge hon. members to oppose Bill C-475, and I invite the opposition to join us in support of Bill C-12 and move it to committee for detailed consideration as soon as possible.

Mr. Speaker, I listened to the member talking about supporting Bill C-12. The problem is that the bill has been sitting on the order paper now for almost a year and the government has done absolutely nothing in advancing it, so that we could get it to committee and have a debate on it. One thing that Bill C-475 does is move forward the debate on privacy and the access to and protection of people's private information.

We are encouraged by Bill C-475 and want to get it to committee so we can update the legislation that has been in place. Only today, the Privacy Commissioner of Canada, Commissioner Stoddart, said we are falling behind and we are at risk of not being up to date with others around the world.

PIPEDA has been in place since 2001 with no changes since that particular date. On that, Commissioner Stoddart said:

Back in 2001, when PIPEDA began coming into force, --and even when I became Privacy Commissioner in 2003--there was no Facebook, no Twitter and no Google Street View. Phones weren’t smart. “The cloud” was something that threatened picnic plans. And predictive analytics was largely the domain of tarot card readers.

Things have changed in the last 15 years and we need to get up to date. Bill C-475 is a good first start. We need to also look at the commissioner's white paper released today, because she did say we are at risk of falling behind.

The reforms that need to be made to PIPEDA include stronger enforcement powers, requiring organizations to report breaches of personal information, requiring organizations to publicly report the number of disclosures they make and modifying the accountability principle.

One of the things the commissioner even said today is that she has no power. The only power the commissioner has is to name companies who breach these laws, so we need strong legislation and enforcement powers, and we need to make sure she has power to fine. Some of that may be in Bill C-12, but we have not seen that and we have not seen it being moved forward in the legislature.

These things do need to be updated. We look forward to having some more debate and getting this bill to committee so that we can really dig into it to see how these changes are going to have an impact and what improvements may need to be made to the bill from the information commissioner. We look forward to doing that in committee.

Mr. Speaker, I am very pleased to rise today in support of Bill C-475, put forward by my colleague from Terrebonne—Blainville. This is an extremely important initiative for all Canadians.

Frankly, the question that arises is: Whatever happened to Bill C-12? This was to be the government's showpiece legislation to reform private sector privacy in Canada. That was back on September 29, 2011, and it is missing in action. As my colleagues have said repeatedly, privacy is the victim. Canadians are expecting, in this 21st century world in which we live, this digital economy, that their privacy will be protected.

I want to say in my remarks that this is good for business. This is actually essential for business. We can talk about privacy protection in the private sector as a human right, but we can also talk about it as being good for business, and I want to give a couple of examples where, in fact, we have kind of missed the boat on that.

The government had the opportunity. There was a requirement for it to bring in Bill C-12. It did not do this because of privacy protection concerns or even for good business reasons; it had to do it because the Personal Information Protection and Electronic Documents Act required that there be a statutory review. It has taken a long time, and I guess we will have another statutory review before it ever deals with Bill C-12. The point is that it is not just bad for privacy for all the reasons I have said, including the digital economy changing so utterly since 2001, but it is bad for business. That is a language the government, presumably, will understand, so let me talk about business.

We live in a world of big data. The current Foreign Affairs magazine talks about the rise of big data. Canadian Business magazine talks about a couple of examples where Canada, sadly, dropped the ball. Let me explain.

A few years ago Google made overtures in Quebec, but the provincial government and Hydro-Québec were unwilling to provide the kind of electricity required so a large data centre could be situated in that jurisdiction. What happened? Google went to Finland and, as a result, the company built a 350-million-euro data centre. Facebook is currently building a 900,000-square-foot facility 100 kilometres south of the Arctic Circle in Sweden. There is a gigantic industry available for gigantic data, and Canada is missing the train. Why is that?

We have cheap electricity by world standards. That should be easy. We have a very secure Canadian Shield in which we could situate these large data centres. Places like Kamloops in British Columbia have been considered. Here is what else we have. We have laws in the private sector that are substantially similar to those of the European Union. It has a very strong data protection law there. It cares deeply about privacy in that jurisdiction. Companies like Facebook have come to Canada and, essentially, test driven their new privacy regimes to see if they pass muster under the Canadian privacy laws, because if they do, they probably will pass muster in the European Union, the U.K. and places of that sort, since our laws are substantially similar.

Canada is perfectly situated between the United States and Europe with a relatively robust privacy protection regime to attract lots of business, but we dropped the ball. The government has utterly dropped the ball with Bill C-12. Who knows if it will ever see the light of day? I say that is tragic for business.

My colleague from Terrebonne—Blainville has spoken strongly in favour of privacy as a constitutional right, and that is true, of course, but the business side of this is good as well. What does her bill do? It does two fundamental things. It deals with breach notification, which according to the Privacy Commissioner of Canada today, 97% of Canadians think is a good idea, according to a poll. Talk about a no-brainer. Second, it talks about better enforcement provisions and order-making powers. Let me speak about each of those things that her bill would do.

First, in Bill C-475 there is a requirement to notify the commissioner of a breach if there is a possible risk of harm. We have seen lots of breaches where credit card information has found its way to various places it ought not to be, and the like, medical information, information that Canadians hold dear. If there is a risk of harm, the notification must be made in a form prescribed in regulations or otherwise specified by the commissioner.

We do not put everything in statutes; we wait for regulations to put flesh on the bones. That is how we do business. It is not surprising that is the way this has been proposed in Bill C-475 as well.

Then there was some concern because the bill talks about the commissioner requiring the organization to notify affected individuals to whom there is an “appreciable risk of harm” as a result of the data breach. Somehow I gather we should be criticized for the appreciable risk not being spelled out. Well, do we have “reasonable person” standards spelled out in our laws? Do we have every situation in the Criminal Code spelled out? Of course not. We use general words. We allow courts and commissioners and regulatory bodies to figure out what those mean. That is the way we do business. It is not surprising that has not been spelled out in detail here either. That is entirely consistent with normal Canadian drafting processes.

The commissioner would have the ability to order the private sector organization to notify individuals and the bill provides a certain number of criteria that should be considered in doing so. Then there is the possibility of an administrative monetary penalty, depending on certain factors that are listed, of up to $500,000. There is, of course, the issue of the right of action that the commissioner might have against an organization that has not complied with orders.

To me, these are entirely common sense, entirely 21st century provisions. I am so pleased that Canada's highly respected privacy commissioner, Jennifer Stoddart, has agreed entirely with these initiatives at a press conference in Toronto today. I thought this quote was perfectly in line with my colleague's bill. She said:

Personal information has been called the oil of the digital economy. As organizations find new ways to profit from personal information, the risks to privacy are growing exponentially.

That goes to the point that the law we have in Canada, although good at the time in 2001, is entirely out of date and everyone knows it has to be improved. The Conservatives seem to not want to do that. Therefore, this bill would at least get us half the way there with two key things.

Finally, we would have order making power for the commissioner. I live in British Columbia. In my province and in the provinces of Quebec, Alberta and Newfoundland and Labrador, people have had the ability for this umpire in the game, this ombudsperson, to make orders where appropriate, and the sky has not fallen. It seems to me it has worked extremely well.

Why is it that we have taken so long to come up with what has been proven to be a huge success story at the provincial level? Imagine that: an administrative body making an order. How many thousands of examples can we find in Canadian legislation of just that kind of power? This is hardly surprising or radical. It is consistent with administrative justice regimes we find at the federal and provincial levels across the country.

The other thing Canadians want is breach notification. That is the other key element in this initiative. Why? It is because it is the most visceral example of privacy violation. When thousands of records frequently find themselves in the hands of others, not only is there a risk of identity theft and enormous personal loss, not only is it a drain on our economy if that occurs, but there is also a sense of enormous personal violation when individuals' privacy is put at risk.

There is an example in the United Kingdom, where someone left a data stick in the back of one of those black London taxis. It contained the records of several million British taxpayers. Just think what one could do with that information, not just economically. Think of the kind of very sensitive information that would entail. One could find out who was paying money to people, for example, who might have children of whom their current partner was unaware. That would be shown by way of alimony payments and maintenance payments that could be deducted from income tax.

There are a zillion examples of those kinds of breaches. Canadians are worried about that. According to our privacy commissioner, 97% in a survey expressed that concern.

I want to congratulate my colleague for her excellent work in bringing forward Bill C-475. I am shocked that our Government of Canada has not seen fit to move forward with Bill C-12. We get more platitudes about it but no action. I am thankful for the action this legislation entails.

Mr. Speaker, I am pleased to rise today to comment on private member's Bill C-475 tabled by my colleague, the member of Parliament for Terrebonne—Blainville.

First, I will correct the record for the hon. member. I think it was February 15, and I do not know if the hon. member was here, when our House leader certainly made very clear that we were willing to move Bill C-12 to committee, but it was obstructed by the opposition party that denied consent for that.

The Internet has become a platform for commerce. More and more online transactions rely on flows of information, including personal information. In fact, personal information is often cited as the lifeblood of the modern economy. It is a key asset and a driver for innovation. However, for information to continue to be an engine of growth and innovation, it is necessary to maintain a solid foundation of trust in the fair and responsible handling of personal information.

As the opposition is well aware, the government already has amendments to PIPEDA before the House in the form of Bill C-12, the safeguarding Canadians' personal information act. The amendments in this bill are the result of extensive public consultations and reflect the work of our parliamentary committee and legislative review process. They reflect the values of Canadian consumers as well as the realities of the marketplace.

Bill C-12 establishes broad-based, balanced, comprehensive improvements to PIPEDA which set out enhanced protections for Canadians' privacy, while ensuring that legitimate business needs for information are met.

By contrast, the opposition's approach to privacy in Bill C-475 introduces only two new measures in PIPEDA. The first of these is a potentially costly and administratively burdensome data breach notification regime.

Bill C-475 would require that organizations report every data breach involving a “possible risk of harm”, no matter how remote to the Privacy Commissioner of Canada. The commissioner must then spend time determining whether each one of those breaches poses an “appreciable risk of harm”, and thereby warrants notification to affected individuals.

In contrast, the government's Bill C-12 proposes an approach to data breach notification that balances the cost to organizations of unnecessary notifications with the needs of consumers.

Bill C-12 would require notification to individuals only in situations where the organization determined that a breach carried a “real risk of significant harm”, which includes both financial harm, such as fraud, and non-financial harm, such as humiliation. This would eliminate the need for costly notification where it was not needed. This would minimize the compliance burden on organizations and reduce the risk of notification fatigue among consumers, while ensuring individuals would get the information they needed to protect themselves.

The opposition's Bill C-475 contains a lengthy list of consequences for non-compliance. This includes a monetary penalty of up to $500,000, which I am sure members will agree is a significant amount. However, should penalties for small businesses in our communities be as large as those of multinationals? The opposition seems to think this should be the case because Bill C-475 is silent on this question.

In contrast, the proposed measures in Bill C-12 reflect the importance of personal information to the smooth functioning of the marketplace. They address barriers to information flows, which were unforeseen when the act first came into force. They clarify and streamline privacy rules for business, while at the same time providing companies with the information they require to continue to grow and prosper.

Consumer information plays a role in many legitimate businesses. Financing transactions and acquisitions that occur in the normal course of development of many businesses require an assessment of business assets. These assets can include databases containing the personal information of customers the businesses intend to keep serving or information about the training and skills of employees who will continue to work with the business. Without the ability to access this personal information, it can be difficult for companies to assess the economic viability of a particular transaction.

Bill C-12 proposes to amend PIPEDA to enable companies to review personal information when necessary to conduct the proper due diligence prior to engaging in business dealings. Before any information can be shared between parties to a business transaction, each party must enter into a formal agreement that constrains the use of the information to purposes related to the transaction itself. In keeping with PIPEDA's existing principles, the agreement must also require the parties to protect that information with strong security safeguards.

Bill C-12 involves amendments that will remove barriers to the availability of information that is necessary to establish, manage or end an employment relationship.

Private sector representatives and the Privacy Commissioner of Canada have recognized that adjustments to PIPEDA were needed to reflect the unique context of the employment relationship.

As a result, Bill C-12 would amend the act to address situations where, for example, employers might need to collect and use the personal information of their employees to issue identification cards and control access to restricted areas.

These measures have been carefully balanced to maintain the protection of employee privacy by limiting the collection, use or disclosure of employees' personal information to that which is absolutely necessary and by ensuring that individuals are notified when their information is being collected, used or disclosed in the employment context.

Bill C-12 also follows up on other key recommendations. For instance, it would provide greater certainty and would clarify rules for business by streamlining private sector investigations. PIPEDA currently allows companies to share personal information with organizations that have a legitimate mandate to conduct investigations into breaches of agreements and contraventions of the law.

However, under PIPEDA, a burdensome and lengthy regulatory process is required in order to render this effective. To date, four separate regulatory processes have had to be launched to allow for the designation of 84 organizations or classes of investigative organizations with more expected.

Under Bill C-12, if passed, Parliament will act to replace this onerous regulatory process with an exception that will enable the information to be shared only in limited circumstances. Indeed, the government will only allow this information to be shared when it is necessary for the conduct of investigations and for fraud prevention.

I believe Bill C-12 provides a better model for the enhancement of privacy protection in Canada. I do not believe Bill C-475 provides the same balanced and comprehensive model.

I call upon members to support Bill C-12 rather than Bill C-475. I would mention for my colleagues from across the way that if they actually want to pass Bill C-12, as they seem to, both parties have mentioned it in the last few minutes, we would be glad to have that discussion and move it to committee tomorrow.

Before I begin, Mr. Speaker, I would like to remind the members opposite that Bill C-475 does not represent a comprehensive review of the Personal Information Protection and Electronic Documents Act, and for that reason, it cannot be compared with the government’s Bill C-12, which does in fact constitute a thorough review and is much broader in scope. Therefore I would invite the members to learn more about this bill before criticizing it.

I am especially pleased today to speak to this bill which was introduced by my colleague from Terrebonne—Blainville. Since being elected she has worked tirelessly on various issues related to the digital world. In particular, she fought against Bill C-30 and forced the Conservative government to kill its online spying bill. She also held public consultations on the North Shore on personal information protection as it relates to her bill.

Today, with Bill C-475, my colleague is calling for the Personal Information Protection and Electronic Documents Act to be modernized to take into account the new digital reality. It is hard to believe that this legislation has not been modernized since it was first passed 13 years ago in 2000. Back then, there were no iPods, smart phones, Facebook or Twitter, and I did not even have an email address. It is time for the government to blow the cobwebs away and modernize this legislation to better protect Canadians’ personal information.

The Personal Information Protection and Electronic Documents Act is based on the ombudsman model. The primary duty of the privacy commissioner is to investigate complaints concerning privacy breaches. The privacy commissioner has the power to investigate, to file complaints, to conduct audits and to publicly report on an organization’s personal information management practices. However, the act does not give the commissioner the power to make compliance orders, or in other words, to order organizations to amend their practices or face a fine if they fail to do so.

To clearly grasp the issue here, I would like to give a few examples that illustrate the need to give the Privacy Commissioner more powers. The commissioner recalled that in 2010, the retailer Staples had failed to delete all of the client data stored on devices such as laptops or USB hard drives that had been returned to their stores and were slated for resale. What is most disturbing is that this retailer had been investigated twice before and was still not complying with the commissioner’s orders.

Let us be honest here. The government created a watchdog who in essence has been muzzled. This watchdog does not have the power to enforce the act. This initiative by my colleague from Terrebonne—Blainville would give the Privacy Commissioner the means to do her job.

Another example is Google Street View, which collected personal information such as email addresses, emails, usernames, passwords, telephone numbers and street addresses. The commissioner found that this practice constituted a serious breach of Canadians’ right to privacy. In this instance, the outcome was a little more positive. Google appears to have accepted the recommendations of the commissioner, who observed that the company was on the right track to resolving these major problems.

I should also like to mention the Edmonton-based site Nexopia, which describes itself as the largest social networking site for young Canadians. The site has over 1.6 million registered users, 80% of whom live in Canada. Nexopia.com users create profiles, engage in blogging, create photo galleries and post articles, artwork, music, poems and videos. The problem is that Nexopia does not have any kind of system in place to block public searches of the profiles of young users, and the website does not allow users to shield their profile from the public. You can see the problem.

These facts are troubling, considering that young people are often careless when it comes to their personal information and that they are targeted by many companies and some offenders. The commissioner conducted a thorough investigation, found that this organization was not in compliance with the legislation in a number of areas and issued 24 recommendations.

Following the release of her report, the federal Privacy Commissioner was forced to ask the Federal Court to make an order compelling Nexopia to stop retaining personal information. Since this action was launched, Nexopia has changed hands, and we are still waiting for the new owner to follow up on all of the commissioner’s recommendations.

Bill C-475 introduced by my colleague attempts to resolve much of the problem by amending the Personal Information Protection and Electronic Documents Act in two ways. First, it would give the Privacy Commissioner enforcement powers, the power to order an organization that has failed to comply with the act to take the necessary steps to comply. Any organization that refused to take action within the timeframe set by the commissioner would risk a fine of up to $500,000.

As well, the bill makes it mandatory to signal any data breaches that could harm an individual. If an individual's personal information has been compromised in a way that could harm that individual, the organization responsible must inform the privacy commissioner of the violation. The commissioner can then determine if the violation could harm the individual and may force the organization responsible to inform the individual that their personal information has been compromised. Non-compliance could result in a fine of up to $500,000.

We believe that this will help increase compliance with the law, reduce the cost of the current process, and reduce delays. It will also establish solid case law that will allow individuals and organizations to better understand their rights and responsibilities.

I would like to point out that three provinces already have laws that are basically similar to the federal law concerning privacy in the private sector. Unlike Ottawa, the provinces of Quebec, Alberta and British Columbia empower their commissioner to make binding decisions in certain circumstances.

As my colleague mentioned when she introduced the bill, it seems that there is a consensus among the public to increase fines for offenders. As the Commissioner said, it is important to note that Canadians are the heaviest Internet users worldwide, spending an average of 45 hours a month online.

We are also among the most avid users of networking websites in the world. I was not surprised to hear that half of Canadians are on Facebook. In light of those statistics, it is not surprising that privacy is an ongoing concern for Canadians.

The 2011 Canadians and Privacy Survey found that the vast majority of respondents are in favour of stiff penalties for organizations that fail to protect peoples' privacy. More than 8 out of 10 respondents want to see measures passed to name offending organizations, impose fines or take the organizations to court.

The Commissioner herself is calling for more power to fulfill her mandate. In her 2011 report, she said:

In recent years, we have seen very serious, large-scale data breaches. Data breach notification, in itself, may not be sufficient to create the kind of incentives necessary to ensure that organizations take security issues more seriously in the current environment. Many other countries are taking a harder line on breaches. For example, the United States has been a leader in this area and virtually all states have data breach laws. Meanwhile, a European Commission Regulation proposed in early 2012 included data breach provisions and very significant fining powers for European data protection authorities. Commissioner Stoddart has encouraged the federal government to explore strengthened enforcement options that would create stronger incentives for organizations to ensure personal information is adequately protected.

The report could not have been any clearer.

Why are the Conservatives so soft on those whose business practices are compromising Canadians' personal data?

As a final point, it is important to understand that the Personal Information Protection and Electronic Documents Act and this bill apply to the use of personal information only in the private sector. Ideally, the proposed measures would also apply to government organizations.

I know in the past my hon. colleague has asked the Standing Committee on Access to Information, Privacy and Ethics to examine the possibility of opening up the Personal Information Protection and Electronic Documents Act to resolve this issue.

In closing, it is unfortunate that the Conservatives oppose this, and I hope we can come up with a solution to this serious problem.

The time provided for the consideration of private members' business has now expired and the order is dropped to the bottom of the order of precedence on the order paper.

[For continuation of proceedings see Part B]

moved that Bill C-475, An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), be read the second time and referred to a committee.

Mr. Speaker, I am having a déjà vu. I feel like I already delivered a speech for the first hour of debate.

I am very pleased to have the opportunity to reopen the debate on an issue that is extremely important for Canadians and our digital industry and that is the issue of protecting personal information.

My Bill C-475 seeks to modernize the Personal Information Protection and Electronic Documents Act, which has not been updated since the arrival of the first generation of iPod. That is an eternity in a modern and ever-changing society like ours. Several million Canadians have never known a world without smart phones. This legislation that governs crucial aspects of our lives does not respond to the challenges of our time.

As I have already mentioned, we use the Internet every day. We use the Web to socialize, share our ideas with others, work, contribute to the Canadian and global economies, participate in democracy and educate ourselves. The Internet is indispensable to our personal, academic and professional development.

The Internet is central to the lives of both children and adults, who use it for entertainment and as a work tool. However, all of our web activities create a digital information footprint, which makes it even more clear that we need to protect our information.

I would like to share some facts that show how big a role the Internet plays in our lives. Quebeckers and Canadians spend about 45 hours a week online More than 70% of Canadians use it daily. Our citizens have more than 18 million Facebook accounts. The digital economy is a sector that is growing exponentially.

Our democracy is becoming increasingly digitized. One example is petitions, which allow our citizens to speak up and become involved in regional, national and international issues. Canada as a country is firmly plugged in.

We are increasingly managing our lives digitally. Because of this major shift, new rules are needed. These rules must take into account the new risks associated with this shift.

Since the beginning of this year, we have seen what a huge impact the loss of personal information has on our communities, for all citizens, regardless of their vulnerability or level of digital literacy. Millions of Canadians are affected by the loss of information, and this is happening more frequently every year, according to the Privacy Commissioner.

A study published in 2011 showed that every publicly traded Canadian company experiences an average of 18 privacy breaches a year. That is a lot.

Two recent reports revealed that 7 million Canadians have lost $3 billion as a result of cybercrimes. The most common crimes are identity theft and privacy and security breaches. Companies should protect against such breaches.

These reports said that 94% of companies say that they have never experienced a privacy breach. These numbers frighten me. In addition, the more information that is shared on the Internet and our smart phones, the more chances there are that our information could be lost or stolen. This only encourages crime groups in the very lucrative phishing market that have managed to scam thousands of Canadians and steal $76 million, last year alone, through 156 million emails sent from all over the world.

This is an international problem and we have to address it immediately. Unfortunately, the current legislation to protect privacy and Canadians' personal information has not been updated to address these risks and put in place appropriate measures for our society.

The current legislation does not provide for Canadians to be notified of a breach of their personal information. In fact, organizations are not required to notify them, regardless of the seriousness of the breach. This means that they cannot take appropriate action to protect their identity or their credit in order to reduce any harm they might suffer.

Compliance with Canadian legislation governing the sharing of personal information is another major problem in Canada. In 2011, the Privacy Commissioner noted that a quarter of the most-visited websites in Canada do not comply with Canadian law; they disclose our data without our consent. What is much worse is that companies that choose to ignore our laws do not currently suffer any consequences.

For more than 10 years, Canadians have been waiting for a better regulatory framework, and they are rightly expecting results. It is in that spirit that I decided to draft Bill C-475.

I would like to quickly remind my colleagues of the two simple and effective mechanisms proposed by Bill C-475 to enhance the protection of Canadians' personal information.

First off, Bill C-475 requires that the Office of the Privacy Commissioner be notified by any organization having personal information under its control when there is a possible risk of harm to users. Experts in the commissioner's office will assess the seriousness of the situation against a criterion for harm that sets a high standard. They will recommend whether or not the organization should notify the users affected. This mechanism allows for an objective analysis of the risk and better management of the risk through an expectation of a high level of security, rather than a subjective analysis based on the interests of the organization, which may differ from the interests of users.

In addition, objective risk analysis will ensure that users are not bombarded with notifications of data breaches that do not affect them at all or present a minimal risk. Indeed, this framework will ensure that users are not bombarded with useless notifications. They will only be notified after a thorough risk assessment by the Office of the Privacy Commissioner. The process will empower Canadians to take steps to protect themselves much more quickly, in addition to reducing the harm done to them.

The second mechanism provided for in Bill C-475 is designed to give the Office of the Privacy Commissioner order-making power when an organization fails to obey the law.

The Federal Court would have legislated authority to penalize organizations that fail to carry out an order issued by the commissioner.

These mechanisms are straightforward and clarify the commissioner's powers. In short, the Office of the Commissioner will now have the power to enforce the law, which unfortunately is not now the case. All too often, the commissioner's recommendations are not being followed, and it is Canadians' privacy that is suffering.

This bill was drafted to address the concerns of Canadians, people in the digital industry, civil liberties organizations, Internet experts and specialists in the protection of privacy, some of whom we heard testify during the study conducted by the Standing Committee on Access to Information, Privacy and Ethics on social networks and privacy.

Bill C-475 is a direct response to requests from the community to adapt the law to suit our digital age by providing some flexibility for people in the industry and protecting the ombudsman's role of the Office of the Commissioner.

The bill therefore takes a very balanced approach, despite what members opposite said last May. On October 9, information and privacy commissioners and ombudspersons from Canada's federal, provincial and territorial governments met in Vancouver for their annual meeting. They voted in favour of a resolution calling for reforms to address a series of measures they are interested in looking at and supporting, including the key principles in my bill. These measures follow up on recommendations Commissioner Stoddart put forward last May with the aim of modernizing the Personal Information Protection and Electronic Documents Act in order to strengthen the authority to enforce the act, including the commissioner's ability to make orders and make it mandatory for organizations to report when information has been compromised.

The bill is also balanced with regard to companies, since clear roles and processes enable them to plan their policies and response. It will be clear for organizations that they are required to report a breach to the Office of the Commissioner, but they will not be responsible for deciding what the ultimate risk is. Companies that are law-abiding will no longer have to compete with companies that are not.

Finally, this bill makes it possible to bring our privacy protection legislation up to the same level as countries such as Germany, Great-Britain, Australia and France, as well as Canadian provinces such as Quebec and Alberta. Canada, as a world leader in technology, must implement international standards. A cross-Canada survey published in April by the Office of the Privacy Commissioner, found that 97% of Canadians would want to be notified if the personal information they had given to an organization were compromised. In addition, 80% of respondents would grant more powers to the Office of the Privacy Commissioner.

The principles defended by my bill have garnered support from all classes of stakeholders affected by these changes, including industry representatives, civil liberties organizations, academics specializing in all areas, consumer protection agencies and even by the Privacy Commissioner and the ombudsman for privacy and information.

This fall, the public consultations I conducted in my riding and the West confirmed the growing interest of Canadians in privacy issues and their support for my bill.

The Union des consommateurs, for example, has stated that:

[it] believes that the implementation of the principles proposed by the NDP, through their private member's bill amending the Personal Information Protection and Electronic Documents Act, constitutes a real advancement to better protect the privacy of consumers.

Michael Geist, the Canada research chair of Internet and e-commerce law at the University of Ottawa said the following:

Bill C-475 is a far better proposal ...Those provisions would do far to ensure a greater respect for Canadian privacy law and give Canadians the assurance of notifications in the event of security breaches.

A few years ago, my colleagues on the other side introduced a bill to modernize the Personal Information Protection and Electronic Documents Act. Therefore, I know they share my concerns about the privacy of Canadians.

Furthermore, in the Speech from the Throne last week, the Conservatives reiterated their willingness to defend the rights of consumers, and the protection of privacy is a crucial part of these rights.

However, Bill C-12 did not receive the serious consideration it needed in the House, and today its principles no longer reflect the reality of our current needs. Moreover, due to the prorogation of Parliament, Bill C-12 has died on the order paper.

My bill is the most up-to-date bill and the only one currently on the table.

I urge my colleagues across the way to reconsider their position on Bill C-475, not only because it meets the current needs of citizens and surveillance authorities, but also because, if we wait for the reintroduction and re-evaluation of an outdated bill, it will take months or even years. Canadians need to be protected now, and Bill C-475 will help restore their confidence in the companies with which they do business, as well as in our institutions.

Canada has a deplorable record on the international front when it comes to privacy, and the increasing costly attacks on our personal information demonstrate beyond a shadow of a doubt that we cannot afford to wait any longer; we must act now.

Canada's Privacy Commissioner, Jennifer Stoddart, said it best on October 9, 2013:

We live in a world where technologies are evolving at lightning speed and organizations are using our personal information in ways previously unimaginable—creating new risks for our privacy. Our laws need to keep up. Canadians expect and deserve modern, effective laws to protect their right to privacy.

By voting in favour of Bill C-475, my colleagues would be meeting Canadians' expectations. If the members of this House truly care about the privacy of their citizens, they have absolutely no reason to vote against my bill.

If the Conservatives take their commitment to consumers seriously, they must vote in favour of Bill C-475.

I would also like to reiterate that I am willing to work with all parties in order to ensure that Canadians have the protection they deserve in this digital age.

We must work together, as parliamentarians, to better protect the privacy rights of our citizens, our youth and seniors.

Mr. Speaker, my colleague mentioned déjà vu. Because of prorogation, she has to start that hour of debate over again. I would still like to congratulate her, as I was not here the first time around. I am happy to be able to second and support her bill.

The member touched on many points. The file she is working on is very complex. Specifically, only in the very last sentence of her speech did she mention youth and seniors. That is what makes this issue so interesting.

When I tour the schools in my riding, I hear young people and their parents express concern about their privacy on the Internet. When I attend the seniors' forum in Chambly, for example, the police always make a presentation on the dangers of breaches of information and its many consequences, like fraud.

I would like to give my colleague the opportunity to expand on the consultations she held. She mentioned several prominent people in the field, like Michael Geist. I know she consulted widely. Along with my colleagues, I would like to hear more about the kind of comments she heard because, as we all know, people are losing confidence. I can feel it in my riding and I am sure several of my colleagues feel it in theirs. I would like to hear more from the member on that subject.

Mr. Speaker, I thank my colleague for his question and for his support of my bill.

He raises an excellent point. In fact, I consulted many Canadians and held information sessions about my bill. I also tried to make both young and old people realize what happens to our personal information when we put it online. Many were very surprised to hear just how widely their personal information is used, and for what purposes. In many cases, it is used in ways people never agreed to.

We do have an existing legislation: the Personal Information Protection and Electronic Documents Act is meant to protect Canadians against unauthorized disclosures of information and other similar problems. However, that legislation is being broken, and therein lies the problem.

Many firms offering Web services are simply huge, which means these issues are becoming more and more international in scope. Unfortunately, these firms do not always comply with Canadian laws.

I believe that as parliamentarians, we have a duty to implement modern protections that both young and old Internet users will be aware of. They will then be protected as the law intended, instead of seeing the law not being followed, as is sadly the case today.

Mr. Speaker, I would like to congratulate my colleague from Terrebonne—Blainville for her speech and especially for the bill she has introduced.

I trained as an archivist and part of my training dealt, of course, with the protection of personal information. This field has expanded quite a bit over the years. It was an important consideration for more traditional mediums such as paper documents and electronic documents before the Internet era. What is really frightening is the proliferation of means of exchanging this information with total impunity.

Could my colleague give us an idea of how complex this can be, of just how many opportunities for sharing, stealing or distributing personal information there can be?

Mr. Speaker, in the digital age, the personal information we provide is disclosed and transferred from person to person very quickly. It takes just milliseconds. There is a real risk.

The other thing is that there is so much personal information in such a huge data base as the Internet, and everyone can have a certain amount of access with an electronic hacking tool. That is why it is important to put in place a system that will notify people if an organization is hacked. We have to be able to inform people that their personal information has been stolen in order for them to protect themselves.

Mr. Speaker, I am pleased to speak to private member's Bill C-475 as presented by my hon. colleague from across the aisle.

Bill C-475 proposes to amend the Personal Information Protection and Electronic Documents Act known as PIPEDA, a law that has been in place for over a decade. PIPEDA has proven its value and retained its relevance in the face of unprecedented technological change.

At its core, PIPEDA gives individuals control over whether and how their personal information can be collected, used or disclosed during commercial activity. This protection fosters trust and confidence in the online marketplace, an important part of the Canadian economy that is growing by leaps and bounds.

The government is committed to updating PIPEDA. In fact, the Minister of Industry met with the Privacy Commissioner only yesterday. However, any changes that are proposed should have been discussed thoroughly with business, consumer advocates and academics or fall within the framework of the existing legislation, as is the case with the former Bill C-12. The proposed new measures put forward in Bill C-475 were not. The proposed amendments in Bill C-475 give the Privacy Commissioner new powers and present a major change to PIPEDA and the role of the commissioner. The impact of such a change on all stakeholders has not been considered.

The Privacy Commissioner's role as defined in PIPEDA is to serve as an ombudsman, a role she has performed impressively to the great benefit of Canadians. Indeed, the commissioner has been internationally recognized and applauded for her success. It was in recognition of this that her term was extended to three years in 2010.

As the commissioner's term enters its final months, the government is pleased to have this opportunity to express its gratitude for the commissioner's dedication to the protection of the privacy of Canadians.

Let us begin by highlighting some of the successes so far. PIPEDA's ombudsman model has proven very successful in setting a high standard for the protection of personal information in Canada. PIPEDA allows for mediated solutions to privacy conflicts that can give both individuals and companies a clear understanding of their rights and responsibilities. A less formal dispute-resolution mechanism is far less intimidating for individuals and easier for them to navigate.

PIPEDA's current oversight and redress regime reflects a deliberate decision by Parliament to adopt a mechanism that avoids litigation when resolving privacy disputes. PIPEDA also provides the Privacy Commissioner with a range of powers to address privacy issues. She can investigate, enter premises and compel evidence, mediate a settlement, make recommendations, publish the names of those who contravene PIPEDA and take matters to the Federal Court.

Bill C-475 would give the Privacy Commissioner new, quasi-judicial enforcement powers. Unfortunately, the enforcement regime proposed by the private member's bill is fraught with procedural failings. As my colleagues will note, the bill contains a list of consequences for non-compliance. This includes a monetary penalty of up to $500,000, a very significant amount.

However, should penalties imposed on small firms be as large as those for multinationals? Unfortunately, the bill completely overlooks this matter. The size of the firm or its ability to bear the burden of monetary penalty is apparently not a factor to be considered.

Given the potential severity of the monetary penalty, it is also puzzling to observe that this particular remedy only applies to failure to comply with orders. Indeed, organizations that have been found to wilfully violate the privacy of individuals, including those that have profited significantly from the violation, are not subject to this penalty. They are only penalized if they have failed to change their ways after having been caught. There are many outstanding issues and questions with respect to the enforcement measures that are being proposed in Bill C-475.

PIPEDA already provides the Federal Court with the ability to provide any remedy it deems appropriate, including orders to correct practices, award damages, or order offending parties to publish a notice of corrective action. Clearly, PIPEDA establishes a comprehensive process for taking action against privacy violations. Businesses, both large and small, together with individuals, have found much success in the resolution of their disputes.

We must ask, then, how the proposed enforcement measures are going to affect the level of co-operation that exists between organizations subject to PIPEDA and the Privacy Commissioner. Would the enforcement regime of Bill C-475 change the current dynamic between organizations subject to PIPEDA and the commissioner, making the parties more adversarial and the process counterproductive? These are questions that cannot be taken lightly.

Finally, the implications of these new powers on the structure and resources of the Privacy Commissioner's office do not seem to have been considered during the drafting of Bill C-475. The new powers would place an undue burden on personnel within the Privacy Commissioner's office. One cannot simply add new enforcement powers to a law without thorough study and consideration of the impact on its existing oversight regime or on its regulator.

We cannot support Bill C-475. There are too many omissions and fundamental questions left unanswered in this bill.

In spite of the difficulties with this private member's bill, though, the issue of compliance with PIPEDA certainly warrants further exploration. The government will continue to send a strong message about the importance of complying with PIPEDA, given its critical role in building trust and confidence in the online marketplace. Furthermore, there must be an opportunity for all Canadians with an interest in privacy issues to be comprehensively canvassed and thoroughly heard.

To conclude, the government does not support private member's Bill C-475. Instead, the government remains committed to updating PIPEDA in a more considered and comprehensive manner. Our government will have a balanced approach, one that takes seriously the protection of private information while establishing a regulatory framework that is workable for businesses.

Mr. Speaker, it is a pleasure to contribute to this debate today. I listened to the parliamentary secretary speak to the bill. He left out a few interesting facts.

Bill C-12, which was the government's bill, was introduced in 2007. Five long years have passed since then, and the government has not kept its commitment to changing PIPEDA and making the necessary changes. Twice the bill has fallen off the order paper. The government has not been taking PIPEDA very seriously at all.

I commend the member for bringing forward the bill. It would deal with two small measures. First, it talks about reporting the loss or disclosure of unauthorized access to personal information. Where a reasonable person would conclude that there exists some possible risk, the commissioner would have to be notified. The other part would give the commissioner some actual teeth to dig in and fine when personal information is lost.

We, as a government, are falling behind the rest of the world when it comes to protecting people's privacy.

I find it comical that the parliamentary secretary says that PIPEDA has kept its relevance. I am going to quote Commissioner Stoddart with respect to its relevance. She stated:

Back in 2001, when PIPEDA began coming into force, – and even when I became Privacy Commissioner in 2003 – there was no Facebook, no Twitter and no Google Street View. Phones weren't smart. “The cloud” was something that threatened picnic plans. And predictive analytics was largely the domain of tarot card readers.

A lot has changed since 2001, and our PIPEDA legislation just has not kept up.

This is a good start. It would give the commissioner more enforcement powers. Currently the commissioner can only publicly shame a company for breaching PIPEDA. It is time for the commissioner to have the strong enforcement powers needed. Some of that may have been contained in the government's bill, Bill C-12, but that bill has not seen the light of day.

Bill C-475 is with us now. It is something we need to refer to committee. We need to update our privacy laws, and we will be supporting the bill.

Mr. Speaker, I am very pleased to speak in support of the bill introduced by the member for Terrebonne—Blainville. Earlier, I congratulated her on her work, because we all agree that this is a very complex issue, as I said when I asked her a question.

It is rather amazing to realize that the Personal Information Protection and Electronic Documents Act has not been updated since 2000. At the risk of showing my youth, which I really do not need to do here, the last time this bill was updated I was at the ripe old age of 12. We can see how much the technology has changed, particularly in relation to the legislation as a whole.

In my view, it is completely absurd to claim that we can keep going as we are with Facebook, Twitter and iPhones. We could stay here all night just listing all the changes in technology.

Indeed, all we had to do was listen to the news this morning, not to point fingers. Of course, there are all kinds of practices, but there was one news item about what Bell does with the personal information of its customers. I am not necessarily blaming the company. I think it falls to us, the elected politicians, to assume our responsibilities—but more particularly to the government to assume its own—and implement legislation that will provide better protection of our personal information in the digital age, which is also an age of uncertainty.

What I have found in discussing this issue with my constituents is that there is a lot of confusion. There is a lack of knowledge, and it is not because my constituents are uninformed on the subject. On the contrary. It is difficult to keep the legislation in line with what the Privacy Commissioner, among others, has already said about what should be done. There is quite a hodge-podge of information.

My colleague is proposing we update the law and bring it in line with recommendations from the Privacy Commissioner, for one. I know that this is not the only element, but it is a striking one because we often see the commissioner's proposals in the news. Obviously, this one jumps out at people who are following this issue.

I really appreciate an important component of this bill, which addresses the idea of coordinating our legislation with that of other countries to ensure that we are keeping up with what is happening around the world. In the digital age, privacy knows no boundaries.

Consider this scenario: someone could subscribe to an Internet service that is based in the United Kingdom. Imagine that the individual's information is compromised; questions are raised about the Canadian government's power to protect that individual's private information. We need to recognize that borders are disappearing in the digital world. We need to take that into account when we update our laws. That goes without saying.

In the question I asked my colleague earlier, I spoke about another aspect that I want to touch on in my speech, and that is the fact that this issue is not bound by age. It is not limited to a single generation.

There is a tendency to think that Facebook is for young people. Similarly, we think that seniors are the ones maliciously targeted by fraudsters. However, it is not that cut and dried. Just as there are no borders—as I said when I was talking about the international component—fraud and privacy breaches are not limited to one generation more than any other.

I want to come back to the example that I gave in my earlier question. While discussing various suggestions with students, for example, we often ask them what they can do to better protect themselves on the Internet.

Canadians can and must have proactive habits, both on the Internet and elsewhere. However, the federal government must also enact legislation that has more teeth in order to allow for more appropriate punishments for businesses that do not perform their due diligence. We put our trust in them when we give them our personal information, which is vulnerable to fraud. Unfortunately, for a few years now, people are realizing that trust and good faith are not enough. The federal government has a duty to legislate in this regard, which is what this bill does.

In my speeches, I often give examples of all kinds of issues raised at the seniors' forum in Chambly, which I attend every year. This event really captures a wide range of issues that matter to seniors. For me, as a member of Parliament, it is an excellent way of knowing what is going on with seniors and of understanding their concerns. Every year, there is always a portion of the event that addresses fraud and elder abuse.

Considering the world they grew up in, seniors do not always know how to protect themselves online, despite their best efforts. I do not think it is unkind to say so. As I said, seniors recognize this themselves and are demanding that the government do something in order to ensure that, when they hand over their personal information to a website or company, it will be protected.

This also applies to cellphones. More and more seniors are using this technology, which is a good thing, because we want them to be able to participate in this technological aspect of our society. We need to do our duty, as elected representatives, to ensure that they can do so safely, while recognizing that they need to be proactive, just as younger people need to be. The need for citizens to be proactive does not relieve legislators of their responsibility to do their part to ensure that laws are in place and that companies cannot run around with people's personal information, since this could lead to bad situations.

I would even say that this issue has been one of the government's weak points. I would also like to point out that privacy is a very hot topic at the moment. Many of my constituents really care about privacy. My colleague for Terrebonne—Blainville has often raised other issues related to the digital age. Clearly, the government has not done enough when it comes to improving the legislation or acting proactively as federal MPs to take advantage of the digital age.

Consider the lack of information about the lost student loan data and other situations at Service Canada. These situations show that the government is not proactive enough and is not making necessary improvements.

Luckily, my colleague is being proactive by introducing her bill as digital affairs critic for the NDP. She is also working on our digital strategy. I commend her on her work and I am proud to support her. I know my constituents will feel much better knowing that at least one party is taking a firm stand on this issue.

Mr. Speaker, it is a pleasure for me to to speak on Bill C-475 on the issue of privacy and digital communications.

The whole privacy issue has been a thorny one for the Conservatives. Last year they had Bill C-30, the online snooping bill, which triggered a huge countrywide backlash. Many Canadians were concerned about that bill because it proposed some very serious invasions of privacy and was an attack on the fundamental rights and freedoms of Canadians.

Privacy is also an issue because increasingly we have seen that many federal government departments, including HRSDC and Indian affairs, have lost personal information they have collected from Canadians. However, the good news for Canadians is that the NDP digital affairs critic, the MP for Terrebonne—Blainville, has been on the job defending the interests of Canadians. We thank her for introducing Bill C-475, which is an excellent response for our times to the issue of digital privacy and personal information.

Bill C-475 responds to a number of calls for greater security for public information. In the ethics committee last year there was a study on social media and privacy, led by the NDP. That committee and that study heard numerous calls from the Privacy Commissioner of Canada, legal experts on Internet security, consumer protection groups, and concerned citizens for the need to update the Personal Information Protection and Electronic Documents Act, a lengthy act that is commonly known as PIPEDA. There are many ways this act can be updated, but the fact is that it has not been updated since the year 2000.

If we think back, the year 2000 was a long time ago, before the era of iPads and smart phones. It was a time when Canadians voluntarily shared much more of their information. Times have changed dramatically, but because our laws have not changed and have not offered Canadians more protection during that period, it is not surprising that more and more Canadians are losing confidence in the ability of the government to be able to protect their privacy when it comes to PIPEDA.

Before going into it in more detail, I will summarize what this bill would do. It would ensure, first of all, that Canadians would be notified if there was a breach in security with respect to their personal information if that breach could cause them harm.

It would also add new strengths to the compliance section. Right now the Privacy Commissioner does not have much in the way of power to enforce compliance, which is unlike the situation in many other countries in the world, so it would bring Canada onto a level playing field with many other countries.

The issue of online privacy is one of growing concern. We are now in the age of big data. Companies are data mining, gathering personal information from a variety of sources, and using it for marketing, for advertising, for personalized ads, for all kinds of measures. There is nothing to protect the privacy of Canadians. There is nothing to protect the personal data of Canadians when there is a data breach that could cause them harm.

What we found in the ethics study of this issue was that there is increasing commodification of this data, called big data, by companies online so that they can do marketing, in which this personal information is often collected, used and disclosed to other parties. The person whose information is collected often does not have any idea that this is even happening. They certainly did not give consent, and it is in violation of PIPEDA.

Throughout the ethics study, there were repeated calls by Internet and privacy experts and civil society groups to empower the Privacy Commissioner of Canada with enforcement powers and to introduce mandatory data breech notification. That is exactly what Bill C-475 would do.

I want to thank my colleague from Terrebonne—Blainville for her excellent work on this issue and her tailoring of the bill to really respond to this very recent study in updating this legislation.

Again, what Bill C-475 would do is give enforcement powers to the Privacy Commissioner of Canada. It would allow the Privacy Commissioner to order an organization that is found to be in violation of PIPEDA to undertake actions to comply with the act. If they do not comply with the orders within a timeline established by the commissioner, they could be liable to a fine of up to $500,000, as determined by the Federal Court. It is a very serious penalty if they are given the opportunity to comply with the act and fail to do so.

Second, it would introduce mandatory data breach notification where there is possible risk of harm to individuals whose information has been compromised. Individuals must be notified.

If anyone thinks these are by any means radical measures—I am sure they sound like a lot of common sense to Canadians—many other jurisdictions already have such measures in law. Countries such as the U.K., France, Germany and Australia and some provinces have this provision in law. British Columbia, Alberta and Quebec have commissioners responsible for data protection or privacy. They are equipped with enforcement powers to force organizations to comply with the law. It seems like good common sense. These enforcement powers for all of these other jurisdictions include administrative monetary penalties. Canada is behind the times when it comes to PIPEDA and the lack of enforcement and the lack of notification.

What are others saying about this legislation brought forward by our colleague from Terrebonne—Blainville? OpenMedia.ca executive director Steve Anderson said, “We welcome...[the MP's] online privacy bill.... This bill is a useful stepping stone to safeguard our privacy”.

Michael Geist, chair of Internet and e-commerce law at the University of Ottawa, a renowned public affairs commentator who often has a column in my local newspaper in Toronto, said:

Bill C-475 is a far better proposal.... Those provisions would do [sic] far to ensure greater respect for Canadian privacy law and give Canadians the assurance of notifications in the event of security breaches.

In conclusion, the people I represent in Parkdale—Hyde Park include many young artists, young communicators and people who work in digital media. I have heard many calls for this kind of privacy legislation. It is long overdue, and I would urge all members of the House to vote in favour of Bill C-475.

Mr. Speaker, I am very honoured to rise today to speak to Bill C-475, which I will support at second reading.

First, I would like to speak to the work ethic of my colleague from Terrebonne—Blainville when it comes to digital issues. As the digital issues critic, my colleague has done a lot of work on a policy to better protect our personal information on the Internet. I appreciate the work she has done.

My colleague held a number of public consultations, which is important to note with this bill, since it has been well received by the public. If there is one thing that is very important and that the NDP puts a lot of emphasis on, it is public consultation. I know that most of my colleagues have held their own consultations in recent weeks and months on several issues that affect the Canadian public.

Digital issues, and privacy in particular, are extremely important issues that affect all Canadians. Later on in my speech I will talk about what the people of Alfred-Pellan, in Laval, have told me. It shows a good work ethic to consult the public, and we can create excellent bills that reflect what the public wants.

It is sad to see that, unfortunately, the federal government is not consulting the public about digital issues and our privacy. This issue is very topical and we must take it seriously. That is why public consultation is so important.

Bill C-475 would create modern protections for an issue for which it is extremely difficult to set parameters. I think that Bill C-475 achieves a very important objective: improving protections on the Internet.

The Privacy Commissioner has called for measures to be implemented on many occasions. My colleague from Terrebonne—Blainville included them in Bill C-475.

Therefore, we can say that we are listening to consumers. In fact, the Union des consommateurs supports this bill. I believe that it is very important to point that out. We have to crack down on Internet fraud and abuse. It is really important.

A little earlier, I heard a Conservative member on the other side of the House say that they are on the right track when it comes to protecting consumers and people's privacy on the Internet. Unfortunately, I doubt it. I will not give the Conservatives free reign, especially when it comes to consumer protection. Unfortunately, their record to this point strongly suggests otherwise.

We have a golden opportunity to have all parties in the House, no matter their political affiliation, work together to protect the privacy of Canadians, to all come together to work on a bill that I believe is extremely well researched.

Most people might think that the protection of privacy is assured and that we have a great deal of protection, especially when navigating the Internet. Unfortunately, that is not the case. There are no guidelines and we do not take action against the big companies that will take advantage of the system in order to use our personal information.

In that regard, I would like to talk about a few things that happened to us in Laval this past summer. I went door-to-door a great deal this summer in order to find out about the concerns of the constituents of Alfred-Pellan in Laval. Many issues were discussed during my visits. We talked about this earlier today. Many people talked to me about the Senate and abolishing it, and they told me that it will be a good thing when the NDP government abolishes the Senate in 2015.

People also talked to me about the bill introduced by my colleague from Terrebonne—Blainville. In fact, they raised questions about what we were doing to improve people's safety on the Internet. I found that extremely interesting and we had some good discussions about that.

I talked to a young man who is in a relationship and who just bought a house. He was very interested in our policies on Internet protection and not just consumer protection. He was extremely pleased to see that the NDP had a substantive bill on the subject.

During the summer, like many of my colleagues probably, I toured a number of old age homes. People were very happy to see us. We talked about protecting personal information. That is something that is very important to our seniors because, unlike a young woman like myself, they have not been immersed in all things Internet and social media since they were young. Many people do not have access to that and it is all new to them. These are things they have to learn. It can be hard for them to understand. I can see how it might be hard for them to use social networks and to cope with the fast pace of the Internet.

Often seniors tell me that they tend to be trusting and give out their personal information. Unfortunately, there are cases in my riding of people who have lost money and are being harassed because they gave out their personal information somewhere. They suddenly receive information they did not ask for from all sorts of people. It is upsetting to them.

These people were extremely concerned about protecting their information. I talked about this bill with them and they were glad to see that there is a party in the House of Commons that wants to review the rules and cares about their safety and protecting their personal information.

I think it is important that we reach out to them in this case because they are the ones who are affected the most.

My colleague from Chambly—Borduas talked a lot about seniors. I will not elaborate on that, but I will say that we must include them in this process.

As the hon. members for Chambly—Borduas and Terrebonne—Blainville said, the federal government has a responsibility to set parameters without necessarily being too tough. At some point enough is enough. There are ways to go about this that we need to oversee. The government has a responsibility and it must step up to the plate.

I studied what this bill contains in more detail because it addresses so many items. I found that it changed some very interesting things.

I saw that Bill C-475 granted, for example, powers of enforcement to the Privacy Commissioner of Canada, which is extremely important.

As I mentioned at the beginning of my speech, the Commissioner called for many changes and measures that we are dealing with right now. Any organizations that refuse to implement these measures within a timeframe set by the Commissioner would risk a fine of up to $500,000, according to a Federal Court decision.

At this time, there are no fines for a company or anyone who abuses on our social networks or the Internet. Putting these guidelines in place today prove that we are serious and we take privacy protection seriously.

There is also the fact that Bill C-475 would make it mandatory to report any data breaches that could harm the people involved.

I believe that this is another important item that we should pay special attention to.

I see that I am almost out of time, so I would like to list the stakeholders that have given us their support. As I mentioned at the beginning of my speech, the hon. member for Terrebonne—Blainville found during consultations that the Union des consommateurs supports our position. Aubrey LeBlanc, president of the Consumers Council of Canada, has come out in support of our position, as has Steve Anderson, executive director at OpenMedia. The National Association for Information Destruction Canada and the University of Ottawa's Canadian Internet Policy and Public Interest Clinic also agree with our position.

The list goes on and on. I believe that proves, as I said earlier, that we need to work together, tackle this problem, put partisanship aside for once, make the right decisions and support Canadians.

The time provided for the consideration of private members' business has now expired, and the order is dropped to the bottom of the order of precedence on the order paper.

Mr. Speaker, I am pleased to rise in the House to speak to Bill C-475, An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), which I will refer to as PIPEDA, to make things easier.

I want to begin by putting this bill into context. From May to December 2012, the Standing Committee on Access to Information, Privacy and Ethics conducted a study on social media and privacy. Numerous witnesses testified as part of that study, including Internet and privacy experts, privacy commissioners, community groups and others.

Those witnesses raised the point that more and more information is being gathered and used for business and marketing purposes. In fact, businesses collect this information, use it and share it without the consent of the individuals concerned, which is in violation of PIPEDA.

Given the concerns raised in committee by the many experts from various fields, the wonderful member for Terrebonne—Blainville introduced Bill C-475 in the House in order to try to respond to those concerns and observations from the community and strengthen the bill in question.

I would add that Bill C-475 is attempting to amend an act that has not been reviewed since 2000. Allow me to digress. I may belong to the last generation that can claim to remember the first day when a computer came into the house. This computer was not in colour and the screen was black and yellow and square-shaped, with blurry graphics.

I remember the first time I typed my homework on a keyboard. I was typing with two fingers and this was very time-consuming. I kept hitting the on/off button with my toe. I would always lose my work because there was no autosave feature for documents at that time. In short, I have a whole lot of memories that I might be able to share with my children and grandchildren one day.

In the meantime, I will point out that it is completely absurd that a privacy act has not been reviewed since 2000. I think I do not need to say more on that subject. It is high time we made changes to this act.

First, Bill C-475, which amends an act that needs to be updated, grants powers of enforcement to the Privacy Commissioner of Canada. Moreover, the commissioner herself emphasized that she wished to have these powers when she appeared before the committee. In other countries and in certain Canadian provinces, the law provides for measures that give more powers to the commissioner. However, this is not the case for Canada. We hope this will change soon.

Who is the commissioner and what powers does she have exactly? This is a good question, and it has to be answered before we say her powers must be increased. I will take the definition used by the Canadian Internet Policy and Public Interest Clinic of the Faculty of Law at the University of Ottawa, which describes the commissioner as follows:

The Privacy Commissioner of Canada acts as an ombudsman who investigates complaints and negotiates solutions.... While the Commissioner does not have the authority to order an organization to change their personal information policies or procedures she may make public any information relating to the personal information management practices of an organization.

That summarizes the commissioner's existing powers. Bill C-475 would enhance those powers.

The commissioner recommends that organizations that refuse to implement the measures she suggests be required to abide by the law and comply with deadlines set by the commissioner, and even be liable to a fine in cases of non-compliance.

The commissioner therefore needs a little more power over Internet-based offenders.

Bill C-475's second goal is mandatory reporting of all data breaches that could harm the individuals concerned. I do not need to go into detail about how the Internet is changing quickly and how now, young and old alike are putting more and more information out there. Things are changing quickly, and we have to ensure that we can keep up with it all, understand it and regulate it.

Companies collect, sell and share this information. Part of the solution is educating people and raising awareness about the kind of information they disclose on the Internet. Still, it makes sense that people should know what is being done with their information because, after all, that information can be very valuable to the companies that can use it. That is not a bad thing in and of itself, but there should be rules for using that information.

People who create a Facebook account are asked to supply quite a lot of information. They are not the ones who decide they want that information to show up on their Facebook page. No, there is a whole form to fill out that includes their year of birth, where they live, their address, favourite movies, favourite music and much more. That is just Facebook. I use Facebook because I am not very well-versed in using other technologies. I joined Twitter just a few months ago because my colleagues and assistants pressured me to. Things are going well so far, but there are still some concerns.

A closer look at the details of this bill, at what can and cannot be done, at the powers that the Canadian commissioner has compared to commissioners in other provinces and other countries, gives us reason for concern.

Perhaps I am a little paranoid when it come to technology, but when a window appears with a little red x, I am afraid to even click on it. I wonder if that will even close the window that just appeared without me wanting it to, or if I will be clicking on a link that will give information to some company, or what have you. You know what I mean. It is hard to know what we can even trust anymore. It is not only what I decide to disclose myself, but it goes much further in terms of what information can be collected, whether we like it or not. Information can even be collected without us knowing.

It is therefore high time that we took action to update the Privacy Act.

It is this government's responsibility to move forward on this, and quickly. Things are changing fast, and we need to take a first step. This bill might not solve everything, of course, but it does address some of the concerns expressed by experts and by the commissioner herself in the parliamentary committee's examination. I really hope the government will bring forward something like this. It would be the least it could do.

In closing, I would like to point out that the Union des consommateurs believes that the implementation of the principles proposed by the NDP, through their private member's bill amending the Personal Information Protection and Electronic Documents Act, constitutes a real advancement to better protect the privacy of consumers.

I would also like to commend the enthusiasm of my NDP colleague from Terrebonne—Blainville and congratulate her. She has demonstrated her competence in managing this file for our party. She has remained very open and co-operative, and has been extremely innovative and dynamic in her collaboration with stakeholders from all walks of life in this file. She has introduced a very important bill, and I hope that we can continue for the well-being of current and future generations, in order to bring in extraordinary technologies, which can sometimes cause us some concern.

Mr. Speaker, I have had many occasions in my years in Parliament to speak in this House, but never at such an auspicious time. Oh my gosh, when I hear that Nelson Mandela just passed away, I want to share a personal experience, if I might.

My family used in live in South Africa, and much of it still does. They are white South Africans, and they lived there through Nelson Mandela's rise to power. He could have been many things, but he was a great humanitarian. He was forgiving when many might not have been. He was compassionate and understanding when others might not have been. As I make my other comments, they almost seem subdued compared to the very real experience of Nelson Mandela's impact on the world. Others will say things more articulately than I, but I will say that if the world could be measured by the quality of what Nelson Mandela brought to humanity, this would be a much better world.

I will speak now to Bill C-475 and its impact on organizations and the public. Of course, I am referring to Canada's private sector privacy law, the Personal Information Protection and Electronic Documents Act, otherwise known as PIPEDA, which the bill looks to amend.

PIPEDA was developed with an important objective in mind, and that is balance. The act is designed to balance an individual's right to privacy with an organization's need to collect, use, or disclose personal information for legitimate business purposes.

I was president of a large company in London, Ontario, when PIPEDA was first introduced. For those who do not know, that is the tenth-largest city in Canada. I would say we invested considerable funds, as did corporations across Canada, to ensure compliance and to do the right thing, because a corporation must be measured in terms of being honourable and doing the right thing. The costs associated with PIPEDA then and now are very real and ongoing, but in a corporation's business it is important to comply, for the sake of the public, which is what we are talking about in terms of this legislation today.

When PIPEDA was first introduced, the government stated that in order for Canada to become a leader in the knowledge-based economy and in electronic commerce, consumers and businesses had to be comfortable with new technologies and the impact that these technologies would have on their lives. I believe that policy objective still stands. However, in order to maintain that important balance in PIPEDA, we must consider the burden imposed by the proposed requirements of this act and always weigh that burden against the corresponding benefit to society.

We all agree that requiring organizations to report certain data breaches is necessary. Data breaches can pose a serious threat to the protection of our personal information and to the security of organizations and individuals. Reporting certain data breaches publicly would allow individuals to protect themselves, and it would also encourage better data security practices by organizations. That is laudable, yet it must said that there are ways to achieve these goals without creating an undue burden on organizations and the Privacy Commissioner.

Data breach notification has the potential to be cost-prohibitive while not providing the kind of information the public requires. For example, in the United States, where this process is tracked closely, the average cost to an organization of a single notification is estimated at $188 per record, and when this figure is multiplied by the number of those potentially affected, any data breach notification could result in substantial cost to companies that must deal with that breach. Based on this data, the total average cost of a data breach to an organization is approximately $5.4 million.

As most states have mandatory reporting of data breaches, there are hundreds of breaches reported every year. According to the Privacy Rights Clearinghouse, an organization that tracks this, there were 592 breaches reported by the private sector in the United States last year. These incidents involved the information of more than 11 million individuals. That number is extraordinary. As organizations south of the border are required to notify so often, notification fatigue among the public can be a serious result.

When notification processes become simply a matter of sending out a form letter to individuals, there is always a deep concern that these letters become increasingly perceived by recipients as junk mail. We have learned from the experience of other jurisdictions. That is why this government believes the best approach to notification is one based on risk, where notification should be required only for those breaches that represent the potential for significant harm to individuals. In this way, consumers would only receive notifications when necessary and would accord them the attention they deserve, instead of seeing these messages as unwanted spam. What we are talking about here is modernization, not overhaul, as proposed Bill C-475 suggests.

The Privacy Commissioner has been a strong advocate for data breach notification. I would like to point out, however, that even she has not asked to be informed of all breaches, nor has she asked for the responsibility to determine the need for notification of when there is a breach. In fact, in her paper on the reform of PIPEDA published earlier this year, the commissioner proposed that organizations be required to report breaches “where warranted”. This suggests that the commissioner understands the burden of overnotification and supports an approach that would minimize that burden. That is modernization, not overhaul.

Unfortunately, this is not the approach taken in Bill C-475. The bill would require organizations to report to the Privacy Commissioner every data breach posing a possible risk of harm. The average organization is risk-averse, and will err on the side of caution. I know that from my own business experience. As a result, it is likely that all breaches would be reported under these circumstances, undoubtedly resulting in notification fatigue among consumers. Under Bill C-475, the commissioner would have to assess each incident reported to her and determine whether it poses an appreciable risk of harm, warranting notification to individuals. This would impose a financial and administrative burden on the commissioner's office and would likely limit its ability to deal with other complaints under the act.

In the province of Alberta, where the data breach reporting has been in place for two years, the office of the Alberta privacy commissioner has estimated that the average time to process a reported breach and determine whether notification is required is 76 days. In the case of more complex data breaches, this could be much longer. This indicates that the risk assessment process is complex, difficult, and ultimately costly.

My colleague, the hon. member for Terrebonne—Blainville, has provided us with much to consider, including some statistics on data breach incidencts. According to my hon. friend, there are 18 privacy breaches every year for every publicly traded company in Canada. We know there are over 3,000 companies traded on the Canadian-based stock exchanges. That would amount to a minimum of 54,000 data breach incidents every year. Given the number of days to assess a single data breach incident, it does not serve the public interest to process each of these 50,000 incidents each year.

Let us remember that the intent is to provide Canadians with timely information about a breach of their personal information so that they can take steps to avoid fraud, identity theft, and misuse of their personal information. I sense the intent of my colleague opposite, but it is not clear to me that my hon. friend has fully considered the administrative and resource implications of dumping this requirement on the Privacy Commissioner's office, and whether it is in the public interest of Canadians to receive so many notifications.

The government is committed to an approach that would require the organization experiencing a breach to conduct the risk assessment based on the sensitivity of the data and the probability that they have been or will be misused. The organization is in the best position to quickly assess the circumstances surrounding a breach of its security safeguards and to determine the risks involved. The government believes that organizations should notify the commissioner and affected individuals of certain breaches, those posing a real risk of significant harm. This allows the commissioner to retain oversight of how organizations are handling the process of risk assessment and notifications to individuals. The commissioner would have the option of initiating an investigation if it were believed that notification did not occur when it was required.

In closing, with appropriate oversight and guidance by the Privacy Commissioner of Canada, the responsibility for determining risk and the need for the notification of individuals should ultimately rest with the organization. I hope I have clarified for members the benefits of a more balanced approach to data breach notification. Again, it is modernization, not overhaul.

I hope colleagues will agree that the approach taken by Bill C-475 would impose unnecessary costs and has the real risk to potentially undermine the primary objective for data breach notification, which is that of providing timely information to individuals when there is truly a risk of harm.

Mr. Speaker, it is a pleasure to rise, but before I provide comment on Bill C-475, as other members have, I just want to reflect on Nelson Mandela, who is now deceased at age 95.

The world has lost a great leader. Many would argue he was one of the greatest leaders we have seen in the last hundred-plus years. Nelson Mandela served as the president of South Africa between 1994 and 1999. We think about where he came from. He went to jail back in 1962, which happened to be the year I was born. Then in 1990, 28 years later, he was released only because of international pressure from around the world in recognizing Mr. Mandela. He came from that situation to ultimately becoming the president of South Africa and everything that happened in between, such as his significant role in abolishing apartheid.

We have lost a world leader today, an inspiration not to millions but ultimately to billions over the years. It is most tragic. I give my personal very best to all who have been affected.

Dealing with Bill C-475, it is important for us to recognize a few things. First and foremost, the issue of personal information is on the top of many minds. The idea of identity theft is prevalent. We know it is a very serious issue. It happens on a daily basis. Just recently we were talking about cyberbullying, as an example. The technology is out there, and the criminal element is causing a great deal of discomfort for a lot of people in dealing with personal information.

The public as a whole does not believe that the government is doing enough to protect privacy, and the public is watching. This is why I found the previous speaker's comments interesting as he started to outline some of the costs and concerns that he has with regard to Bill C-475—

Order. Could hon. members come to order, please? The hon. member for Winnipeg North has the floor, and I would ask all hon. members to refrain from causing a disruption in the chamber.

The hon. member for Winnipeg North.

Mr. Speaker, in dealing with Bill C-475, it is important for us to recognize that there are some concerns that should and could be easily addressed by allowing the bill to be sent to committee. I would argue that there is a significant advantage if we allow that to take place. The simple reason is that there is a need for more debate. When we go into committee, different stakeholders will be able to get more of the facts on the record. When we talked about the Privacy Commissioner and the additional workload there, I can respect that. We want to hear what the facts are. We do not want to make it overly awkward, costly, and just not practical in some cases. With Bill C-475, we have an opportunity to move forward.

Members will remember earlier this year when literally thousands of student records were released. There was a huge concern all over the country. There were student loan records that were found to have been misplaced or had fallen into the wrong hands. We know that many people were directly affected by it. The government, somewhat kicking and screaming, had to acknowledge its role in not being forthright in releasing that information.

I believe there is some merit to the bill. When we take into consideration the concern that Canadians have as a whole related to the issue of personal information and wanting to see government doing more, I do not see what we have to lose by allowing the bill to be sent to committee.

I chose to stand up for two reasons. One was to emphasize the point that we should allow the bill to be sent to committee. At the same time, as I indicated at the beginning of my remarks, I wanted to get on the record the passing of a great man, Nelson Mandela. I am sure there will be more formal positions taken by many dignitaries around the world in recognition of this iconic world figure.

With those few words, I am prepared to leave it at that, in the hope that we will see the bill succeed and be sent to committee where we can hear the thoughts of different stakeholders as to what we could be doing to ensure that we are protecting the personal information that people have entrusted to either the government or the private sector. We need to do more. This bill will not necessarily answer all of the problems, but it will at least provide a venue for us to make some changes that could improve our current system.

Mr. Speaker, I see that there has been a huge reaction to Nelson Mandela's death. I was saddened to hear the news. He unfortunately passed away after a long and full life.

I want to take this opportunity to say that the fight against apartheid was a great source of pride for Canadians. We could be very proud of our government, which was a leader in this battle. By making Mr. Mandela an honorary citizen, we paid tribute to him and to the great figures from this country who sought to defend and promote human rights.

I know that there will be more elaborate tributes, so I will speak to the wonderful bill introduced by my colleague from Terrebonne—Blainville. I think it is wonderful because I admire that my colleague is looking to innovate, to get us caught up and to anticipate some very serious problems related to the major changes society is experiencing so rapidly.

I want to read the first part of section 10.01:

For the purposes of this section and section 10.02, “harm” includes bodily harm, humiliation, embarrassment, injury to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, identity fraud, negative effects on credit rating and damage to or loss of property.

I read that section because I think it is important to understand that our world has changed considerably and has done so very quickly.

I have already mentioned in this House that I used to be an archivist. I therefore understand the importance and value of information, especially when it is nominative information. I worked in this field for a long time, and my job would have eventually included applying the principles associated with the protection of personal information. I would have done it as a professional, but the organization I belonged to as an archivist would have also fully applied these principles.

I am not that old, but I graduated quite a while ago, in the early 1990s. At that time, our tools were far more limited. The emergence of computers began to change things, but the possibilities were much more limited than they are today.

I also had the privilege to read notarial deeds from the first half of the nineteenth century. To give some background, many parents passed on a parcel of land to their descendants. More often than not, the heir was their son. They would place a clause in the deed requesting support from their son as the new owner of the land, because social programs did not exist at that time.

Since that time so long ago, our society has changed so much that we now totally depend on exchanging money to live. Things were different 150 or 200 years ago, when we could depend on the strength of our arms, the bounty of our land and our ability to obtain almost everything we needed without spending a single cent.

There has been a profound change over the last 15 or 20 years. The electronic means with which we carry out our transactions have not only become commonplace, but are also extensively used by all generations.

The Internet and the numerous sites that facilitate transactions and offer new ways to trade and barter create new opportunities. This is like the wild west. Anything is possible, both good things and, unfortunately, abuses by dishonest individuals. It is really deplorable that the government would neglect Canadians and contemplate spying on them through legislation such as Bill C-30. Instead, the government should have taken into consideration these new tools and imposed a requirement to take precautions and report incidents resulting from the loss, theft or unintentional or negligent transmission of sensitive data. In the case of lost or stolen sensitive data, the technology is now so quick that in just a few hours these sensitive data can be used to commit fraud or abuse or to damage someone's reputation. It can be used widely, to the detriment of the aggrieved individual. The hon. member for Terrebonne—Blainville is taking a particularly important, crucial and laudable initiative to the great shame of the government, which should have done this itself.

Since the government was not taking action, the official opposition put forward a proposal and one of its brightest members proposed a solution widely supported by the testimony of leading experts. There are many of them. It is a great pleasure for me to put things in perspective and, more importantly, to call on the government to take a serious look at this bill in committee, because this is an opportunity that we cannot afford to miss. The Governments of Alberta and Quebec are already ahead of the federal government and have plugged some holes. If the federal government does not follow suit and correct the flaws that exist in the legislation, millions of people could potentially become victims. We are aware of the burden that having to comply with the act could represent for organizations. However, the potential harm can be so costly that I am convinced the impact and external costs of the government's negligence would ultimately exceed the costs that may be incurred to comply with the bill introduced by the hon. member for Terrebonne—Blainville.

Again I congratulate my colleague for her initiative. I wish her well and I thank her on behalf of my constituents in Beauport—Limoilou.

Mr. Speaker, I have a great crowd behind me, because this is a really important bill. There is such a great response. I really want to thank my colleague from Terrebonne—Blainville for working on this important piece of legislation. She deserves congratulations for a lot of reasons. It is a great piece of legislation.

My colleague was elected in 2011. She is proof positive than an individual MP can advocate for constituents, give a caucus important advice in a critic role, represent NDP values in a critic area, and make concrete legislative suggestions to the House. The fact that we have such a good piece of legislation before us speaks volumes about her ability to make a difference here in Parliament.

The former CEO of Google, Eric Schmidt, said that as of 2010, we create more information in just two days than was ever created up to and including 2003. That is an incredible statistic. It is massive. We create about 2,000 years' worth of information every couple of days. That is just one way of measuring how the digital world we live in today is different even compared to just 10 years ago.

Change is happening quickly when it comes to technology, innovation, and information sharing. It is increasingly an issue for Canadians, because in the last 10 years, with the growth of the digital economy, social media, and Internet access, greater amounts of personal data are shared. They are collected, used, and disclosed.

This bill identifies a problem. The problem is that our privacy laws are not built for a digital age when we create and share so much personal information.

PIPEDA was adopted in 2000. I remember it quite well, because I was a law student, starting in 2001, and we talked about what the implications would be for the groups, organizations, and communities we worked with. At that time, there were almost no social networking sites, microblogging sites, or video-sharing sites. Tumblr and YouTube did not exist, and there was no such thing as Facebook. I remember the first time I ever googled something, and it certainly was not a verb at that time.

Now over 18 million Canadians have a Facebook account, including many of us here in the House. A lot of us use this form of social networking. That number of 18 million Canadians is more than half of Canada's population, which is incredible.

Can anyone remember a time when they could not YouTube a viral video or find an old friend on Facebook? It was a completely different world 10 years ago. Now we are light years ahead of where we were in 2000.

What we are talking about here would transform the digital world in Canada. It is the type of change that affects Canadians on a huge scale. As Canadians, we are incredibly connected. We are the second-greatest Internet users in the world. More than 80% of us access the Internet regularly. Approximately 70% of us think that our personal data is less secure and less protected than it was 10 years ago, and 97% of Canadians would like to know when their personal information has been exposed because of a data breach.

It is worth noting these statistics, because most Canadians agree with the goals of this bill. It is absolutely unthinkable that we would expose so many Canadians to risks to their online privacy, especially when many people are aware of and concerned about these risks.

We need to update our privacy laws to recognize these changes and keep up with them; otherwise, we risk leaving Canadians unprotected. Canadians have moved on from 2001. It is time that our privacy protection laws moved on as well.

I would like to stress the importance of taking advantage of the opportunity this bill presents. We know that the Conservatives presented a privacy bill, Bill C-12, that came out of the 2006-2007 review of PIPEDA. However, it has been languishing on the order paper since 2011. That is far too long. Not one but two PIPEDA reviews are overdue.

We need privacy protection for the 21st century, but we also need it in the 21st century. Bill C-475 responds to these pressing challenges for protecting our privacy in a new digital age.

In a May 2013 review of PIPEDA, the Office of the Privacy Commissioner of Canada identified pressure points where PIPEDA needed to be changed. The first two of these pressure points, and arguably the most important ones, are addressed in Bill C-475.

The first pressure point identified in the report was enforcement. The report points to the fact that under PIPEDA the Privacy Commissioner is limited to the role of an administrative investigator, and that while she may seek resolution through negotiation, persuasion, and mediation, she actually has no enforcement powers.

The report says:

The days of soft recommendations with few consequences for non-compliance are no longer effective in a rapidly changing environment where privacy risks are on the rise. It is time to put in place financial incentives to ensure that organizations accept greater responsibility for putting appropriate protections in place from the start, and sanctions in the event that they do not. Without such measures, the Privacy Commissioner will have limited ability to ensure that organizations are appropriately protecting personal information in the age of Big Data.

Bill C-475 answers this recommendation in giving enforcement powers to the Privacy Commissioner to order organizations to comply with privacy legislation and to fine them if they refuse to take action within an established time period.

The second pressure point in the Privacy Commissioner's report was to “shine a light on privacy breaches”. It recommended that PIPEDA should:

require organizations to report breaches of personal information to the Commissioner and to notify affected individuals, where warranted, so that appropriate mitigation measures can be taken in a timely manner.

This is really common sense. First of all, we want to know when our personal information has been put at risk. As I said before, 97% of Canadians agree that they want to know when there has been a breach in their privacy. The harm that comes from these breaches can include identity theft, financial loss, negative credit ratings, and even physical harm. We should be aware that we have been exposed to a higher level of these risks when our privacy has been breached.

I will wrap up by saying that the Privacy Commissioner stressed that too often the rights of individuals are displaced by organizations' business needs and that it is becoming increasingly clear that the balance between these rights and needs is no longer there.

I would like the House to know that New Democrats are not stuck in the past. We recognize the imbalance, and with the bill we will take the first steps to make sure to protect the interests of businesses and consumers in the new digital age.

Order. I understand the government House leader is rising on a point of order.

Mr. Speaker, I would simply like to add my comments to those of my leader and say just how sorry I am to hear of Mr. Mandela's passing. He was always a great source of inspiration for me.

I have always been part of Amnesty International and other groups that defend human rights around the world. In fact, that is one of the reasons I decided to become a member of the NDP, because it is the party that does the most to defend human rights.

For me, Nelson Mandela has always been a beacon of light and hope. I would like to thank him for everything he did for us, for people around the world and especially for South Africans.

With that, I will continue on another topic altogether, that of technology. I really want to begin my speech by congratulating my colleague, the hon. member for Terrebonne—Blainville. Like me, she was elected in 2011. She is an extremely intelligent and dynamic young woman who has proven that young women have definitely earned their place in politics. She has really proven her willingness to work hard and listen not only to her constituents, but also to all the stakeholders who have an interest in the field of technology and privacy. She consulted them and listened to them, and today she is introducing her bill, Bill C-475. I really do commend her. We are all very proud of her and we thank her for taking this issue so seriously after it had unfortunately been overlooked for so long.

We now know that this legislation has not been updated since 2000. Obviously, a lot has happened since 2000, including Facebook, Twitter, iPhones and smartphones. Technology has drastically changed over the last 13 years, creating a whole new context. We now have to resolve issues that would never have crossed our minds a few years ago.

We have to realize that a number of problems stem from a lack of legislation. This bill aims to solve problems that were ignored for months or even years. The current free-for-all regarding the distribution of personal information is due, in part, to a lack of political will, as well as a legislative void. That is what makes this bill so important.

We cannot continue to do nothing while technology evolves every day. We cannot keep silent and stand idly by while these problems occur.

In fact, my hon. colleague who spoke earlier will rise again shortly to discuss a crucial issue: the fact that people have lost confidence in the system meant to protect their personal information. They have lost confidence not only in companies, but especially in the government, because it did nothing while things kept getting worse.

That is why it is extremely important to restore the public's trust in technologies, in Parliament and in legislation, so that people feel safe at home. This is our job as parliamentarians. When Canadians do not feel safe, it is up to us to do something. Something needs to be done, and it is our job to do it.

This came up in the many consultations, as my colleague pointed out. Unfortunately, 91% of Canadians said they are extremely concerned or very concerned about privacy. That is almost 100%.

I would really like to know what percentage of members of Parliament are concerned. We are all MPs and as parliamentarians we are concerned about Canadians. However, how do we feel as individuals? I would like to do a little survey here and have people tell us honestly whether they are concerned about whether their information is being protected.

For example, seven in ten Canadians reported feeling that they have less protection of their personal information than they did 10 years ago. It is time to ensure that Canadians are and feel safe. This is about feeling safe. We cannot let this situation get worse.

The content of this bill did not come from the NDP alone. It came from the Privacy Commissioner, Internet law experts, consumer protection groups and Canadian citizens, who are, of course, our primary concern. I think it came out of the 2012 study of social media and privacy by the Standing Committee on Access to Information, Privacy and Ethics.

Parliament has acknowledged this. People came to testify. This bill is not just a partisan NDP initiative. It means something to all Canadians and will enable organizations, lawyers and the Privacy Commissioner to protect Canadians.

There is no reason the Conservatives should refuse to support this bill. The NDP is not alone in going after the Conservatives about this. Canadians, lawyers and the commissioner want this too. How many people have to tell the government to do something before it actually does something?

This is about giving Canada's Privacy Commissioner the power to enforce the law. That is very important. We know that commissioners have an extremely important role to play in analyzing not only the government's actions but everything that has to do with access to information. Giving the commissioner the power to enforce the law will simply strengthen the essential role she plays in identifying problems and telling Parliament which initiatives should be taken.

I would just like to close by saying that our colleague in the House is speaking on behalf of Canadians and Quebeckers who are worried as well as all stakeholders who are worried and who all say that we need to act now to protect Canadians' information and privacy.

I would like to thank my colleague from Terrebonne—Blainville for her work and for conveying the wishes of Canadians and stakeholders to the House.

Mr. Speaker, it is not easy to speak after hearing the wonderful statements made by the Prime Minister, our leader and the member for Mount Royal. I would like to add my voice to theirs by saying that I am truly saddened by the death of Nelson Mandela. Today we lost a great man and a great symbol of hope.

Despite this, I will still speak to my bill. I am very pleased to close the debate today, although I would like to—and could—talk about it for years and years.

I want to thank all the members who contributed to this debate. Unfortunately, I have to point out that the Conservatives made several erroneous statements that undermined the real debate on Bill C-475. I want to go back to some of those statements today to set the record straight.

The government said it was committed to updating the Personal Information Protection and Electronic Documents Act. Unfortunately, the government did not even respect the provision of the act requiring a review of this legislation every five years to update it. This review should have been conducted two years ago. Moreover, the legislative amendments made during the first review in 2006-07, have yet to been implemented. The government is therefore not committed to updating the act.

It is shameful that the government is refusing to vote in favour of Bill C-475 and then has the gall to say it is concerned about Canadians' privacy.

As for the concerns about consultations and the provisions in Bill C-475, I would like to point out that we consulted 11 major companies and business organizations that would be affected by the bill and 15 consumer groups and rights and freedoms advocacy organizations from five provinces, including Alberta, British Columbia, Ontario and Quebec. We also consulted 15 of the most well-known and important academics in the domain and we heard from approximately 40 experts who shared their opinions about the implementation of the Personal Information Protection and Electronic Documents Act before the Standing Committee on Access to Information, Privacy and Ethics.

Another issue was the size of the monetary penalty companies would be liable to. There is no list of penalties. There is just one: a monetary penalty will be imposed if an organization fails to correct its non-compliant practices as ordered by the commissioner within the time limit. The bill is balanced because this penalty, which cannot exceed $500,000, will be imposed according to a list of criteria that assess the severity of the offence and the organization's ability to pay. I should point out that other countries, such as Germany, Australia and France, have much higher penalties.

My colleagues opposite talked about how the privacy commissioner's role would change and expressed concerns about the commissioner's ability to handle these new demands. Rapid changes in the digital world will change the role of moderators as well. What we are asking for in Bill C-475 is what the Office of the Privacy Commissioner of Canada told the Standing Committee on Access to Information, Privacy and Ethics it wanted to see.

With respect to the ability of the commissioner's office to deal with the new demands, the commissioner explained in committee, during the assessment of their financial statements, that having the power to issue orders and impose sanctions would produce better results that would be more timely and less expensive for Canadians. During that hearing, the commissioner's office proved without a doubt its ability to adapt its services based on economic constraints, while also increasing the office's efficiency.

However, I must say that suggesting that the commissioner's office is incapable of dealing with the provisions it proposed in committee, and without the benefit of any examination, amounts to completely baseless fearmongering.

Bill C-475 is a balanced bill. It proposes concrete measures to protect people's personal information in the digital age. It gives Canadians greater powers to protect themselves when their information is lost or stolen. It reassures Canadians regarding their engagement on the Internet, which is good for our economy.

Bill C-475 provides incentives to organizations for obeying the law. That it crucial to protecting the privacy of our constituents.

I wish to reiterate my desire to work with the members of all parties in order to make the necessary reforms to the Personal Information Protection and Electronic Documents Act. I appeal to the good judgment of all members to vote in favour of Bill C-475 on December 11.

It being 6:36 p.m., the time provided for debate has expired.

The question is on the motion. Is it the pleasure of the House to adopt the motion?

All those in favour of the motion will please say yea.

All those opposed will please say nay.

In my opinion the yeas have it.

And five or more members having risen:

Pursuant to an order made on Tuesday, November 26, 2013, the division on the motion stands deferred until Wednesday, December 11, 2013, at the expiry of the time provided for oral questions.

The hon. member for La Pointe-de-l'Île not being present to raise the matter for which adjournment notice has been given, the notice is deemed withdrawn.

The House stands adjourned until tomorrow at 10 a.m., pursuant to Standing Order 24(1).

(The House adjourned at 6:39 p.m.)