Bill C-475 (Historical)

Mr. Speaker, it is a pleasure to rise and speak to Bill S-4, which would amend the Personal Information Protection and Electronic Documents Act, called PIPEDA. The bill has the rather misleading title of the digital privacy act.

I will be speaking against this bill for a number of reasons that have been articulated very well in past debates by the member for Terrebonne—Blainville, our digital issues critic. She has brought in a bill of her own. The government took parts of it and did not go as far as it needed to, to actually protect the digital privacy of Canadians.

I would like to, first, talk about why this is such an important bill. Second, I will talk about the history of getting it here. Last, I will talk about some of the critical problems with this bill and propose an amendment at the end of my remarks.

E-commerce is the backbone of the modern Canadian economy and it is only going to be more important going forward. Think of our children and their use of digital material.

My colleague, the member for Toronto—Danforth, made some comments about e-commerce and why this bill, which underscores legal protections for privacy and e-commerce, is so important. He said that the world's largest taxi company has no cars. It is the largest taxi company because it has personal information. It is called Uber.

The world's largest accommodations company, Airbnb, owns no property, but it is the richest and largest company because it owns personal information. The world's largest retailer has absolutely no inventory. He was referring to Alibaba in China.

As we move to what my colleague called the Internet of Things, by 2020, we will have 26 billion devices connected to the Internet. I hope that people appreciate that we are moving into an economy where we need to know the rules of the game and we need to know that our personal privacy in the private sector is protected. Business wants that certainty and consumers demand that what is left of their privacy be treated fairly by those private sector organizations that hold their information.

Canada is really in a unique position on the planet. We are halfway between the European Union, which has a very aggressive data protection regime, and the United States, which has sectoral legislation but not a comprehensive private sector law like PIPEDA, the bill that is before us in its amended form.

I say that we are halfway between those two regimes because, under PIPEDA, Canada has managed to create what is called a substantially similar regime to the European Union. That means that e-commerce companies in England, Ireland, France, and the 28 other countries that make up the EU can confidently share their personal information with Canadians because they know that they will have substantially similar protection. Canada achieved that. The United States does not have anything like that, so companies like Google and Facebook will often use Canada as a launching pad.

If we can make privacy protection sufficient in Canada, it will likely be sufficient for Europeans, who have had the most stringent requirements of privacy on the planet. It is important that we get this right.

It is amazing and very timely that we are having this debate at this time because on Monday of this week a clear signal was given by the Council of Ministers in the European Union that it is going to go for a regulation soon, not the directive that has been enforced for some time. After two years, all 28 countries will have to come up with an even more stringent regime.

That is why this bill is so problematic. It would not help small business, as I will describe, and it certainly would not give consumers the protection that the courts say that they are entitled to. I refer to the case of Spencer in 2014, where warrantless searches were said to be not on for Canadians, yet they seem to be just fine in this bill, which is odd. We need it get it right from a commercial point of view, as well.

I am indebted to Professor Michael Geist, who testified before the industry committee and the Senate, and who is so prolific and thoughtful in his analysis of private sector privacy legislation and other privacy regimes. He talks about how it is has taken us eight to nine years to get to this state.

I wanted to talk about this because the government's ineptitude in helping the e-commerce industry that I talked about and protecting the privacy of Canadians is on full display in the history of this bill.

The Conservatives tell us that it is urgent, that we must get on with it. Well, that is because they have dropped the ball, as I will describe in many ways. It has taken eight or nine years to get to this situation.

The Conservatives left an earlier version of a privacy bill sitting for two years in the House of Commons with no movement whatsoever and then it died at prorogation. How did that happen? In November 2006, the Standing Committee on Access to Information, Privacy and Ethics undertook its hearings on this reform. That was one year later than the five-year review process required by the act.

Just to back up, PIPEDA, the bill before us that is being amended, requires parliamentarians to review it after five years. They could not even get that deadline together.

In 2007, there was a report recommending certain things be done. Nothing seemed to happen. First reading was in 2010 for Bill C-29, the first PIPEDA reform. Second reading of the bill was in October. In September 2011 there was the first reading of Bill C-12, the second attempt to reform PIPEDA. That never got past second reading. It died when the government prorogued. Then another bill, this Bill S-4 was introduced in April 2014. This was the third try. Three strikes are lucky, I guess.

Here we are before Parliament with a bill that when it was in committee, the government said solemnly that it was urgent that we get on with it because it did not want to take a chance on any further delays and amendments. It is laughable the way the government treats the backbone of e-commerce, this privacy legislation. It has taken eight or nine years to get to where we are tonight. In the dying days of Parliament we are debating the legislation. It shows how important this must be to the government of the day.

In my riding, where we have a thriving e-commerce industry, with start-ups trying to develop apps and so forth, the bill is important and the government treats it with a history of neglect, which is the best way I can put the ineptitude I have described.

It is critical for small businesses, as I will describe, because they just do not have the wherewithal of large business to comply with some of the provisions of the legislation. I will come to that in a moment.

What does the bill do? Some of the things it does right is that it has finally agreed with endless Privacy Commissioner recommendations that there ought to be mandatory breach disclosure. If there has been a breach of data by a company, where it is sent to the wrong place and suddenly my personal information is found in the back of a taxi cab on a data stick, someone has to be told about it. That is pretty simple and obviously long overdue. That is a good thing to have in the bill.

Second, there are increased enforcement powers for the Privacy Commissioner, including the notion of compliance agreements that companies would enter into. This is a long-standing consumer protection approach that has now found its way into the bill.

According to experts, such as Mr. Lawford, testifying on behalf of the Public Interest Advocacy Centre, it would likely result in fewer reported breaches because it leaves the determination of whether a breach causes a real risk of significant harm entirely in the hands of the private sector companies.

Do the words “conflict of interest” seem to come up? They do and that obvious conflict of interest is fatal to the purpose of the bill. Why is a company going to want to blow the whistle on itself? It seems a bit odd and others have suggested, as has my colleague from Terrebonne—Blainville, in her Bill C-475, that it ought to be for the Privacy Commissioner, an independent officer of Parliament, to pass on that, not the industries themselves. That was the subject of much criticism in the industry committee, which studied Bill S-4.

That gives me a chance to talk about the attempt by the opposition to actually get meaningful debate in the industry committee. Since I got here, probably the most disappointing thing I have found is the government's utter indifference to any amendments unless they come from its side of the aisle.

There is an effort to have a real dialogue and to improve this and come up with a kind of unanimous support for something which is technical in nature, but the government said no to every single amendment, which, of course, in my experience is the way it does it every single time. I have been on two committees and I have not seen one amendment passed that anybody but the government proposes.

Trying to co-operate with the government to do something which is at the backbone of the new economy and it will not even talk to us. Apparently, that is how the government wants to do business. Fortunately, like so many Canadians, I hope that these are the dying days of a government with such arrogance and indifference to what Canadians want.

The efforts to try to fix this bill fell on deaf ears. My colleague, the digital critic from Terrebonne—Blainville, proposed that the Privacy Commissioner be the one who determined whether a data breach was significant enough to report, which makes sense, as opposed to the fox in the henhouse, where a company has to decided whether it is big or little.

That is not for banks to decide, whether they weigh their reputational risk that they might have versus consumers' rights. I know who could do that, an officer of Parliament. That would be the right person to do that. That is what my colleague suggested. The Conservatives propose putting the burden on companies.

Here is the problem with that, and not only the obvious conflict of interest but there are large companies, think banks, telecoms, companies of that size, that have departments that are responsible for privacy protection. More and more companies have what is called chief privacy officers to regulate this very technical area of the law.

They do a good job sometimes, but they often have this penchant that they obviously feel when they are trying to protect privacy, which is their job description, and not make a career-limiting move when information that is disclosed could cause harm, and the company would be angry with them and shoot the messenger. I have talked to CPOs in companies that tell me that the conflict is alive and well and I can understand that.

Small companies do not have these chief privacy officers, for example, to determine whether there is a significant breach or a significant risk of harm. They have no idea what to do. They want to co-operate, but they do not have the personnel or expertise to do it.

My colleague reasonably suggested that we give them a little help by letting them have access to the Privacy Commissioner's expertise and resources. Is that not a common sense provision? Is that not one that would help those small start-ups in the e-commerce industry that would really like the opportunity to do the right thing but do not have the budget to do it?

The economy in my community, the largest sector now, is not tourism or hospitality, it is high tech. The people who are producing the largest contribution to the Victoria economy are people who are just in this situation, wanting to understand the rules of the game in the new e-commerce, looking to the government to give them clarity, make it easy for them to do the right thing, so they can compete internationally, as they are doing so effectively, and to be onside with the European Union's incredibly stringent rules.

Guess what? They do not have a CPO, paid $150,000 a year or whatever, like the large banks would. The government has done nothing to assist them and they are angry about it. They do not understand why this so-called business-friendly government simply does not get it.

Some 18 amendments were proposed by the NDP and 18 amendments declined by the government of the day. We tried to work it out, but the government just wanted to jam it through. To add insult to injury, for the 97th time it used time allocation on a bill of a technical nature like this. I think the government is over 100 times now.

In the history of Parliament, has there ever been a government that has done this more often? I certainly do not know. I want to study it. I have a student looking at this because the arrogance and the anti-democratic behaviour of the government has to be exposed. The 97th time was for a bill on digital privacy. It is shocking and shameful that we are in this world today with this government.

The Supreme Court has told us that warrantless searches are wrong. They are unconstitutional. My colleague from Toronto—Danforth said we should send it to the court for a constitutional reference. We cannot have yet another loss in the Supreme Court. How many would that be? I have lost count. It is six or seven. How about having a reference to the Supreme Court of Canada?

The leader of the opposition asked for that today with respect to Bill C-51. The government, of course, would never do that. It just wants to go lose again in the Supreme Court.

The Spencer case in 2014 established that warrantless searches are a bad thing. How can the government then put these searches into Bill S-4, the bill before us, and pretend it is going to be constitutional? It is great work for lawyers. I have many friends who welcome the government's position because it is a make-work project for constitutional lawyers, but is it helping the Canadian taxpayers? Is it helping the e-commerce businesses, those little businesses from coast to coast that are struggling in this international economy? Do they have the clarity they need to go forward? Why do we have to waste our time with yet another Supreme Court loss by the government? It makes no sense.

Could the government have co-operated a little with people of good faith who wanted to make it better and solve this problem, as New Democrats tried to do in committee? One would think the government would welcome that, but it simply said no.

My next point is kind of a technical thing, but I want to raise it. We talked about breach notification, and I want to give an idea of how complicated this is for the little mom-and-pop or individual family businesses that are now arising in the economy. Clause 10, which would add section 10.1 to PIPEDA, talks about the kind of notification that is required when there is a breach. I want to give an idea of how complicated this can be and how lack of clarity means something.

Proposed subsection 10.1(5) says, “The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.”

Three times the word “prescribed” is mentioned, which means it will be prescribed by regulation to follow later. There would be regulations that would define the kinds of things that would have to be done to give notification of a breach. However, as an example, let us take a small business that is trying to do the right thing. When there is a breach, it wants to notify people immediately. What is it going to do? Until there are regulations, it is utterly meaningless.

I know the government will bring in regulations eventually. That is a good thing, and I am sure companies are looking forward to seeing them, but as they plan ahead in this incredibly dynamic sector, they do not have a clue, and neither do we. None of us can say what those prescribed requirements are, because “prescribed” means to follow later in regulations, regulations nowhere to be found. People will have to try to figure that out. People sitting in a little start-up in Victoria or St. John's or Toronto or Montreal will have to try understand how to work their way through this difficult bill.

It is a history of neglect. It is a history of failure to listen to the opposition, which wanted to work together to create this regime. It has a history of eight or nine years in coming to the dying days of Parliament, but we should not worry, because it is urgent now, according to the Minister of Industry.

New Democrats do not believe it.

Therefore, I move:

That the motion be amended by deleting all the words after the word “That” and substituting the following:

“this House decline to give third reading to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, because it:

a) threatens the privacy protections of Canadians by allowing for the voluntary disclosure of their personal information among organizations without the knowledge or consent of the individuals affected;

b) fails to eliminate loopholes in privacy law that allow the backdoor sharing of personal information between Internet service providers and government agencies;

c) fails to put in place a supervision mechanism to ensure that voluntary disclosures are made only in extreme circumstances;

d) does not give the Privacy Commissioner of Canada adequate order-making powers to enforce compliance with privacy law; and

e) proposes a mandatory data-breach reporting mechanism that will likely result in under-reporting of breaches.”

Mr. Speaker, this bill establishes a mechanism to be used by organizations to report data breaches, data thefts, and so forth, which is very important. I called for such a mechanism in the House and proposed one in my Bill C-475.

However, the model proposed by the government in this bill is extremely subjective. The organization itself determines whether or not the data breach is serious and whether or not to notify the people concerned. Some data breaches may not be reported to the commissioner or the individuals in question. The individuals would not have the opportunity to take the necessary steps to properly protect themselves.

Instead of implementing a subjective measure, why not implement an objective measure that would put more power in the hands of the individuals whose identity or personal information has been stolen or breached?

Mr. Speaker, it is my pleasure today to rise and speak to Bill S-4.

As my colleague mentioned a couple of minutes ago, I too have very serious concerns that here we are in a parliamentary democracy with elected MPs sent here by their constituents to do the work of Parliament, and Conservatives have brought forward a bill introduced by the unelected Senate. It sort of begs this question. What was the real agenda behind doing this? Was it to fast-track it? Was it to try to give the Senate some sense of credibility as it goes through some very difficult and challenging times?

Nevertheless, it is about process, and now that I have made my point, I also want to make the point that in Parliament, as my colleague across the way pointed out, there is a natural rhythm as to how bills are introduced in the House and debated. The government, in its wisdom, first took a Senate bill instead of spending the time, of which it has a lot, to bring forward its own bill. It took a Senate bill and, even before second reading, basically declared that it was not willing to accept any amendments, which really makes one wonder what the purpose has been behind a lot of legislation.

Now I know that my colleagues across the way have an allergy to evidence, science, and data and do not really like listening to all the expert witnesses that are flown in to appear before committees. The interesting thing is that even before they heard from those witnesses, they started to make comments such that they did not want to accept any amendments because if they did, the bill would have to go back to the Senate. It does not seem to me to be a good reason to bring forward legislation that is poorly thought out.

I am not saying it is not needed. It is.

As a matter of fact, my esteemed colleague from Terrebonne—Blainville introduced Bill C-475, which would have actually addressed many of the concerns that Canadians want addressed. That is an example of a well-thought-out bill that would not overreach but would actually do the job that is needed, which is to modernize our code of conduct around personal information. With the advent of electronic and digital media, we absolutely need some changes.

Getting back to the bill, once again, it is a process that is flawed. Experts came forward and gave testimony. I sometimes wonder, if the government's mind is already made up that it is not going to accept any amendments, what the purpose is of flying in experts to present their testimony. To me, that is the highest sign of disrespect. It basically says the government has already made up its mind, but just to make witnesses feel better, it will hear from them. That is really bad form.

Here is something else. The NDP put forward 18 amendments, well thought out and researched, supported by the evidence that was presented and by experts; and other people presented 14 other amendments. True to their commitment or the bizarre statement before the bill got debated, there were zero amendments accepted by my colleagues across the way. So much for committees working with consensus.

I have often heard ministers from the other side of the House say they have to rush things through the House because at committee stage experts will be heard and that is when we get to have the really meaty debates. I have never bought that, and evidence bears out that it is not how committees work. Despite hearing expert witnesses and hearing from the opposition, the Conservative government accepted zero amendments, and that says a lot about the process.

Now the bill is back in the House, and we are debating it, but once again, there is time allocation. The government could have moved on the bill over the last number of years, but it chose not to. Here we are in the last three weeks, when suddenly the Conservatives have rediscovered that they had better do something. After all, it is election time. They are now moving time allocation to prevent the Canadian public from knowing what is really in the bill. One way to do that is to limit and shut down debate, which seems to be a very common move by the government.

Here are some facts and figures. The Conservatives made 1.2 million requests to telecommunication companies to obtain Canadians' personal information in just one year. Some 70% of Canadians feel less protected today than they did 10 years ago. With this bill, they have reason to feel even more concerned and worried, because now there are all kinds of loopholes in the bill whereby their information can be shared way beyond the person they give it to.

Some 97% of Canadians say they would like organizations to let them know when breaches of personal information occur. That is reasonable, but if companies are giving away data themselves, I personally see that as a breach, because they have breached my trust, because I gave the data to them. We have some concerns around that as well. Some 80% of Canadians say they would like the stiffest possible penalties to protect their personal information, and 91% of respondents—not 51%, not 41%, not 21%, but 91%—are very or extremely concerned about the protection of privacy. It seems to me that the government should be paying some attention to what Canadians are feeling and their fears.

There was also a Supreme Court ruling, on June 13, 2014, pertaining to the sharing of personal information. The Supreme Court stipulated that subscriber data, including name, address, email address, phone number, ID address, et cetera, cannot be disclosed to a third party without a warrant. In light of this decision, the constitutionality of certain provisions in Bill S-4 is questionable.

I am sitting here thinking that a government that really wanted to do due prudence would actually pay attention to the fact that the Supreme Court had made a ruling. Despite that ruling, we did not see any amendments from the Conservatives, nor were they willing to accept any of ours, which really lets me know that to pander to their friends, they are willing to sell out Canadians, they are willing to ignore the Supreme Court ruling, and they are burdening hard-working taxpayers with future challenges in the courts, because that is where this will certainly end up.

The NDP believes that Canada needs a mandatory data loss or data breach reporting mechanism based on objective criteria. We are not the only ones who are saying that. Witness after witness said that we need the Privacy Commissioner to have some powers over this.

Huge companies get our data through nefarious means, some of them very innocent, like when we pay bills with a credit card. They not only get what we paid and where we bought something but all that micro-targeting information can now be moved on to other companies when a company deems fit. To me, that is just not acceptable.

I would urge my colleagues across the way to not ignore Canadians or the Supreme Court ruling. Let us make sure that we address the deficiencies in this bill.

Mr. Speaker, I rise in the House today on behalf of my constituents from Surrey North to speak on Bill S-4, an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act. I rise today because I oppose the bill in its current form.

Members from three parties proposed amendments to the bill so that it would stay within constitutional boundaries. However, the Conservatives rejected every single one of those amendments, even the amendments that were drafted according to the comments and suggestions from the witnesses.

As the official opposition, it is essential that we carefully review the legislation and voice dissenting opinions in order to ensure that each bill is thoroughly examined. In this case, as in most cases that I have experienced in the past four years, it is evident that the Conservatives are determined to push through their own agenda on their own timeline.

I feel strongly that it is important for Canadians to know that their privacy is being protected, especially in the digital age that we live in. However, just because the Conservatives have not conducted the mandatory five-year review of the Personal Information Protection and Electronic Documents Act, PIPEDA, does not mean that we should rush through an unbalanced bill.

I feel very strongly that the bill before us was not well studied and needs to be fixed before it is passed through the House. In fact, the Conservatives did not support or submit any amendments to the bill because they did not think that would allow enough time to pass the bill before the election. This sounds politically expedient to me. Canadians deserve better than what the Conservatives are giving them.

The issues surrounding online privacy and safety are not new problems. Rather, they are existing problems that have become increasingly harder to protect against as technology continues to advance. Therefore, given the changing nature of the problem, it is important that the legislation that we create also evolves.

I am glad that after so many years of inaction, we are finally considering legislation to address online privacy issues. My colleague, the member for Terrebonne—Blainville, tried to take action to protect Canadians' privacy back in 2012 with Bill C-475. Unfortunately, that bill, which was stricter and more effective than the bill before us although very similar to it, was voted down by the Conservatives.

The Conservatives have become very good at pretending they know how to do their jobs and protect Canadians. They are actually able to stand up in this House and lie through their teeth in saying that this is a balanced bill, and they believe that.

Online privacy and security breaches have the potential to significantly harm an individual. Protecting these rights is important for all Canadians so that we do not put anyone potentially in harm's way.

Some Canadians may feel that the bill does not affect them in their daily lives, but I can assure them that Bill S-4 would affect every single Canadian.

One part of the bill that I am very concerned about pertains to the sharing of our personal information. The bill contains a provision that would make it easier for companies to share our information without our knowledge or consent, without a warrant, and with zero oversight. It is troubling to me that there is no mechanism in place for oversight.

Do the Conservatives remember the ruling in Regina v. Spencer? I do. In this decision, the Supreme Court of Canada ruled that Canadians have a reasonable expectation of privacy online. More specifically, the Supreme Court stipulated that spyware data cannot be disclosed to a third party without a warrant.

In light of this decision, it is questionable whether certain provisions in Bill S-4 are even constitutional. There are limits on what the government can do, but the Conservatives seem to have forgotten that.

We are demanding that every clause pertaining to the warrantless disclosure of information be withdrawn out of respect for the Supreme Court ruling and the privacy of Canadians.

There is no doubt that the Conservatives have a dark past when it comes to protecting personal information, and this bill would only add to that darkness. The lack of oversight and the allowance of warrantless disclosure has led to 1.2 million secret requests from Conservative government agencies for personal information from telecommunications companies in one year alone. Under the current Prime Minister, staggering numbers like this show that something needs to change, and it starts with this bill.

The Conservatives' hesitation to accept amendments to this bill makes me question whose interests they are truly protecting. Are they protecting the interests of Canadians, who deserve to trust that their personal information will be protected, or are the Conservatives protecting their own self-serving interests?

We would like to see this bill contain a mandatory data loss or data breach reporting mechanism. However, the bill in its current form would most likely result in fewer breaches being reported. It would be up to the organization that suffered the breach to determine if the breach posed a real and significant risk of harm. Companies want to save their reputation and money, so why would they inconvenience themselves by reporting a potentially embarrassing breach of privacy that could cause consumers to lose trust in them when they could just hide it instead?

There would be no incentive to report a breach and no advantage to doing so. This is a conflict of interest that would deprive Canadians of the information that they need to make informed choices about which companies they decide to share their personal information with.

Furthermore, because of the Conservatives' inaction, PIPEDA, which is supposed to be updated every five years, is falling far behind international standards. Since the first statutory review in 2007, subsequent attempts to amend PIPEDA have died on the order paper. After this long wait to update PIPEDA, the bill would simply not go far enough to protect Canadians in this digital era. We as Canadians are getting the message that the government does not take the protection of personal information seriously.

I, along with my fellow NDP members, truly do not ask for much when it comes to this bill. We have long called for the modernization of Canadian privacy laws. They are not up to date. Instead of making it easy for companies to share our information, the government should put deterrent penalties put in place that would require or encourage these private companies to respect and follow Canadian laws. Following that, we insist that the provisions in Bill S-4 to allow organizations to share personal information without consent or a warrant be removed and that the loopholes in PIPEDA, which do the same thing, be closed.

The point of the Constitution and the Canadian Charter of Rights and Freedoms is to protect the very rights and freedoms contained within them. Warrantless access to our subscriber data and personal information most definitely poses a risk to Canadian privacy.

Modernizing the laws that govern the protection of personal protection is an important issue in the digital age. However, ramming through a bill that has huge holes, such as this bill, is not a fix that can make up for years of inaction by the current government. I urge the Conservatives to accept the amendments to this bill so that we can work collaboratively to ensure that all Canadians can trust that their personal information is being protected to the best of the government's ability.

One of the other things that was very troubling was seeing time allocation moved for the 97th time. Time allocation basically puts closure on this bill. It does not allow for all of the members to bring the views of their constituents into the House, which is one of our primary jobs.

This is the 97th time the Conservatives have done it and I can assure you, Mr. Speaker, they are not going to get the chance after October 19, because Canadians are tired. They have seen democracy and the workings of democracy crumble. These guys are going to be out.

Mr. Speaker, the Conservatives came to the committee study of this bill with their minds already made up. They said that we absolutely had to pass this bill in its current form without any changes, otherwise the process would take too long, especially with the upcoming election. Everyone in the House knows that we will be having an election soon, but the Conservatives had four years to do something.

The member even said in his speech that this bill was overdue and that it was needed. Of course this bill is long overdue, because the Conservatives waited four years before they introduced anything. Bill C-12 disappeared completely, and some reviews of PIPEDA simply fell through the cracks because the Conservatives did not act. They could have voted in favour of my bill, Bill C-475, and the legislation would already be amended.

Why did they adopt that attitude at the committee meetings? How can they justify such an undemocratic attitude towards this bill?

Mr. Speaker, I thank my colleague for the question.

Indeed, the way this bill was examined is very problematic. From what I remember, and someone will correct me if I am wrong, this is the only time a bill has been sent to committee for study before second reading. In such a situation, one might think there are changes to be made, otherwise why would we do that? Furthermore, this exceptional measure would allow the committee to put forward amendments that go further than the strict substance of the bill, and it is therefore a good opportunity.

We were not able to seize the opportunity, however, because the Conservatives came into the committee room saying that we should just accept the bill, otherwise there would be no changes at all to the Personal Information Protection and Electronic Documents Act, or PIPEDA.

Yes, we are running out of time. We understand that. However, the Conservatives had many opportunities to amend this legislation. They waited for years to review PIPEDA as they were supposed to do, given that under the existing legislation, the act is supposed to be reviewed every five years. We could have passed my bill, Bill C-475, which could have become law. Bill C-12 disappeared. In short, they had many opportunities.

Instead, they dragged their feet for years. When we were hearing evidence and during the study in committee, they said that time was running out and we had to accept the bill as is. Well, that is no way to operate, especially in a democracy like ours.

Mr. Speaker, unfortunately we will oppose Bill S-4 for the reasons I will provide in my speech.

What I am especially disappointed about is that we all voted in good faith for this bill to be studied in committee before second reading. We told ourselves that we could perhaps work together to improve the bill and eliminate the most problematic parts or ensure that it would truly protect Canadians in the digital age. Unfortunately, that did not happen, even though we know that there are more and more risks associated with protecting personal information online.

For more than four years, we have been in Parliament with the same government that rejects all our motions and refuses to work with us in committee. This time, I do not know why, but I had hoped that we could work together.

Usually, a bill is sent to committee before second reading because there are problems with the bill and we want to make changes. Perhaps we want to change something or make changes to PIPEDA that go beyond the immediate scope of the bill. We had hoped to work together. Unfortunately, that did not happen.

That is why I moved three motions today to remove the most problematic sections from this bill. These motions will be voted on together.

We heard over and over that these two sections—clauses 6 and 7—are extremely problematic. These clauses will make it easier to share people's personal information without their consent and without them even knowing that their personal information is being shared. The government is trying to broaden the scope of situations in which information can be shared without consent. That is extremely problematic.

Obviously, there are sometimes extreme circumstances that require personal information to be shared. Such situations exist. Everyone knows that. We take issue with the fact that there is no transparency. There is no mechanism in place to ensure that this information is shared only in exceptional and urgent circumstances. What is more, the threshold of reasonable suspicion is very low.

As a result, we voted against these clauses when the bill was examined in committee. Unfortunately, the Conservatives decided to go ahead with them anyway.

We even proposed amendments to improve these clauses by restricting the kind of situations in which information sharing can happen and creating a system that encourages transparency. There has to be an accountability or oversight mechanism to ensure that this information sharing only happens under exceptional circumstances. That is really not the case.

As I said, we proposed amendments to improve the bill because everyone in the House of Commons knows that protection of personal information is a big issue right now, one that is really important to our constituents.

I even give computer security courses to seniors in my community because they want to understand how to use new technology and they want to have a certain level of confidence when it comes to protecting their information and their identity.

Everyone agrees that this is an important issue and that we have to update PIPEDA to ensure that it can better address the threats present in the digital age in the 21st century.

Unfortunately, the Conservatives' approach was to put something on the table and refuse to accept any amendments or listen to what the witnesses had to say. They just forged ahead.

All of the parties proposed amendments, except for the Conservatives, of course, and all of the amendments were rejected. The NDP even proposed 18 separate amendments that were all rejected.

Most of all, I deplore the fact that from the beginning of the committee's examination of this bill before second reading, the Conservatives said they did not want to change anything. Why should we bother voting to send something to committee before second reading if, from the beginning, the Conservatives have already decided that they will not change anything? It makes no sense. It also demonstrates bad faith. We are supposed to examine bills with an open mind and a desire to improve them, correct their shortcomings and work together. That is what it means to live in a democracy.

The Conservatives even insulted some of the witnesses during the study in committee, telling them that they could choose to either vote for the bill in its current form or accept that there would be no changes to the Personal Information Protection and Electronic Documents Act before the next election. I understand we are having an election soon, but the Conservatives had plenty of opportunities to modernize the Personal Information Protection and Electronic Documents Act. There was Bill C-12, which simply disappeared because of prorogation. The bill that I introduced in the House contained very similar provisions to the ones found in Bill S-4, but the Conservatives voted against my bill.

These changes could have already been in the legislation. Unfortunately, the government suddenly says the timeframe is too tight and the only thing we can do is pass the bill as is despite all its problems and flaws. The government simply wants to pass the bill as is. I think the Conservatives are being disingenuous about this. To tell all the witnesses that the choice is between this bill and nothing is really insulting to them after they took the time to travel here to share their opinions and present their proposed changes.

Since the government rejected all the amendments and we did not manage to improve the bill, the NDP will have to vote against it even though we recognize that some provisions are a step forward, although they do not go as far as they should. Nonetheless, I cannot vote in favour of a bill that will create more opportunities for personal information to be shared without consent, without authorization, without the individual concerned being informed, and without a proper oversight mechanism. That is what this bill would do.

Clauses six and seven, which my motions would eliminate, will weaken the protection of privacy by allowing the sharing of personal information without the consent and authorization of the individual concerned. I already stated that the threshold was very low. I proposed raising the threshold so that the organization asks questions before sharing this information. The Conservatives refused. The Privacy Commissioner even raised concerns about this provision. He said that it could open the door to abuses, and that is what we found. This government made 1.2 million requests to Internet service providers to obtain personal information as a result of flaws in the Personal Information Protection and Electronic Documents Act. There have been actual abuses. As members of Parliament, we cannot consciously open the door to further abuses. However, that is exactly what clauses six and seven of this bill do.

I will now read what the Privacy Commissioner said at the February 17, 2015, meeting of the Standing Committee on Industry, Science and Technology:

Under the proposed amendments, potentially any organization will be able to collect or disclose personal information for a broad range of purposes without any mechanism to identify which organizations are collecting or disclosing the information and why.

This is very problematic because according to its title, this bill is supposed to create the digital privacy act. I am sorry, but there is a problem when parts of the bill contradict its objective. You do not have to be a genius to understand that.

I would like to share a quote from Michael Geist, who also testified at the Standing Committee on Industry, Science and Technology on March 10, 2015:

...the broad provision that we have here opening the door to massive expansion of non-notified voluntary disclosure without any of the kinds of limitations that we typically find even the courts asking for should be removed....With respect, it is both not well studied and ought to be fixed. Canadians deserve better.

He also took the opportunity to disagree with the process that the Conservatives put in place and the idea that we should pass this bill without amendment because we are out of time.

The warning mechanism for a data security breach proposed in the current bill is another problem. Many parliamentarians understand the need for such a mechanism. This was brought up in the committee on which I sit, the Standing Committee on Access to Information, Privacy and Ethics, while we were studying this bill.

As the Privacy Commissioner has said many times, we must require that organizations notify individuals when their data are compromised. In a number of cases, as with Target and Home Depot, the data of thousands of people have been compromised or lost completely. Since the people in question are not always informed, they are not in a position to protect the compromised data. That is a huge problem.

Bill S-4 fixes this problem but does not really go about it in the right way. The proposed model is much too subjective because it allows the organizations themselves to determine whether a data breach creates a real risk of significant harm to an individual. The organizations therefore have to police themselves. They also decide for themselves whether to inform, or not, the Privacy Commissioner and the individual affected of any data breaches that occur.

The model that I am proposing is more objective. I proposed it before when we were examining this bill in committee and when we were examining my private member's bill, Bill C-475, which could have been passed already had the Conservatives not voted against it. This model would give the Privacy Commissioner the power to determine whether a security breach is serious enough to inform the individual. Thus, it would not be up to the organizations to do it.

What is more, PIPEDA covers all organizations, from convenience stores to large digital technology corporations. Some organizations, such as convenience stores that have only a couple of employees, are unable to determine how serious a data breach is. It is therefore important to allow them to turn to an expert, namely the Privacy Commissioner.

I would like to read a quote from John Lawford, the executive director and general counsel for the Public Interest Advocacy Centre, who testified before the Standing Committee on Industry, Science and Technology on February 19, 2015. He said:

Unfortunately, Bill S-4, as written, will very likely result in fewer reported breaches than even now and operate in an opposite manner. Namely, it will create a culture of fear, recrimination, and non-reporting. Bill S-4, incentivizes not reporting data breaches by leaving the determination of whether a breach creates a real risk of significant harm to an individual totally in the hands of the organization that suffers the breach. This obvious conflict of interest is fatal to the purpose of the bill as there is no advantage to a company to report and every advantage to hide a data breach.

As he said, the proposed mechanism is much too subjective. It is unfortunate that the Conservatives refused to implement a more objective system.

This bill does not give the Privacy Commissioner the power to issue orders. The former privacy commissioner, Jennifer Stoddart, asked for that repeatedly. Provincial privacy commissioners also wanted it because they have that power.

All too often, organizations do not act on recommendations made following an investigation by the Privacy Commissioner. Big international companies do not think they need to comply because it is just Canada, but Canada's laws must be respected. When our laws and the Privacy Commissioner's recommendations are constantly ignored, we need to fix that problem.

We could give the Privacy Commissioner the power to issue orders, but there is nothing about that in the bill. Instead, it calls for compliance agreements, which do not go far enough and do not really motivate organizations to act on the recommendations because they are not orders. We wanted to fix this problem, but once again our proposal was rejected.

I would have liked them to adopt the model I proposed in Bill C-475. I suggested following the usual investigation procedures, after which the commissioner would issue orders and set a deadline for compliance. The parties would act in good faith. For example, if problems were not resolved within a year, the Federal Court would impose a fine.

This system would give organizations that comply with the law and the recommendations a chance, with no repercussions whatsoever. However, if we do not find a solution and do not encourage organizations to respect privacy, there will continue to be abuse, and the law and the Privacy Commissioner's recommendations will continue to be ignored.

Bill S-4 is a step in the right direction, but it does not go far enough. That is what I said throughout the entire study. As a matter of fact, some witnesses also said it was important to have a system that truly encourages privacy protection.

What is more, given that we studied this bill in committee before second reading, we had the opportunity to correct other problems with the Personal Information Protection and Electronic Documents Act, because we knew there were some flaws. Under what circumstances is it acceptable for the government to submit at least 1.2 million requests a year for personal information to Internet service providers? This is a serious problem, but nothing is being done about it.

I thought we could sit down as parliamentarians and come up with ways to put oversight and transparency mechanisms in place and even get rid of these flaws and abuses. This was a missed opportunity.

Recently, the Supreme Court established in Spencer what was reasonable and not with regard to privacy protection. Unfortunately, that ruling was not taken into consideration during the study in committee. The Personal Information Protection and Electronic Documents Act was not amended in order to make it consistent with the Supreme Court ruling. That needs to be done. The government needs to show some vision and correct these flaws to provide better protection of Canadians' privacy because that is what Canadians deserve.

Mr. Speaker, I rise today to speak to Bill S-4, which amends Canada's privacy legislation. However, in its current form, Bill S-4 contains measures that will make it easier to access personal information without a warrant.

By proposing to refer this bill to a committee before second reading, the government has decided to take a new legislative route with this bill.

Indeed, the government motion aims to refer this bill to a committee before second reading. This motion will therefore allow members to examine Bill S-4 before second reading and propose amendments that will modify its scope.

We support the motion, because we hope that some of the serious concerns we have about this bill will be examined in committee. We are very concerned about the fact that one provision in Bill S-4 makes it easier for organizations to share personal information without a warrant or consent from the client, and without the appropriate oversight mechanisms in place.

In an article published in the spring 2014 journal of the Ligue des droits et libertés, Stéphane Leman-Langlois, the Canada Research Chair in Surveillance and the Social Construction of Risk at Laval University in Quebec City, gave a very clear explanation of the risks associated with industrial surveillance.

Here is what he had to say in that article:

We easily forget that every second of the day, a myriad of private entities are collecting a mountain of information on us, our habits, our behaviour, and our interactions with others...

A number of commercial entities have to collect basic information on their clients just to provide them with the service they require. A mobile phone could not work without continually indicating its location. The company also has to keep records, for billing purposes, on the calls received and made with the phone...

As you can imagine, this adds up, and after a while can represent massive amounts of data...

The information that metadata can provide about us is absolutely unbelievable. An ongoing experiment at Stanford University, with 500 volunteers willing to share their metadata, has shown that the researchers could determine financial records, health status, membership in the AA, whether the individual had an abortion or owned a gun, and many other things...

Just recently, the spotlight was on certain government intelligence agencies that were deeply involved in the widespread collection of information on Canadians. The agencies in question were specifically the RCMP, the Communications Security Establishment Canada, or CSEC, the Canadian Security Intelligence Service, or CSIS, and the National Security Agency, or the NSA, from the U.S.

Often...these agencies stop collecting or actively intercepting data and simply demand data that has already been gathered by companies...

All this may seem remote from our daily reality...but this activity has a perfectly tangible impact on our lives as ordinary citizens...

The picture being painted by Professor Leman-Langlois of Laval University, should make us realize the importance of the subject being debated today.

However, this is what this same professor and expert in security information had to say on the government's current position:

We can all agree that there is not very much privacy on the Internet, but still, there are some very weak protections in place. However, rather than strengthening privacy, which of course would be the best thing to do, the government is bombarding us with bills that will reduce those protections.

Although Bill S-4 proposes significant amendments to the Personal Information Protection and Electronic Documents Act, such as the obligation to report any breach of security safeguards involving personal information and increased powers for the Privacy Commissioner, the NDP is worried about the negative impact that some provisions of the bill will have on Canadians' privacy rights. The Conservatives have a very poor track record when it comes to protecting personal information, and Bill S-4 will not fix this troublesome past.

In just one year, government agencies secretly made over 1.2 million requests to telecommunications companies for personal information without a warrant or proper oversight. What is more, according to documents we obtained, the Canada Revenue Agency was responsible for more than 3,000 privacy breaches in less than a year. Last month, here in the House, I asked whether the government intended to follow the NDP's recommendation to set up a committee of independent experts to look at how the government uses and stores Canadians' communications data. However, as usual, the government had nothing to say. The Conservatives never gave me an answer to my question. The government should have taken advantage of the opportunity afforded by Bill S-4 to correct the flaws in PIPEDA that led to repeated violations of Canadians' privacy.

In 2012, the NDP introduced Bill C-475. This bill would have added online data protection standards to federal legislation that are similar to those in Quebec's personal information protection act. Quebec's data protection standards would have been applied to all federally registered organizations and to organizations with customers and users in Quebec. The Conservatives opposed our bill, and now they have introduced a watered-down version of the same bill.

The NDP believes that Canada needs to require mandatory reporting of the loss or breach of personal information based on objective criteria, as proposed in Bill C-475. The NDP also wants to remove the provisions from Bill S-4 that allow organizations to disclose personal information to other organizations without the consent of Canadians and without a warrant.

In order to truly protect Canadians' privacy, deterrents should be put in place to encourage or force private companies to abide by Canadian laws.

That is what the NDP is proposing, and we hope that the government will listen to us in committee, because that is what we are asking for. We think we need to get to the point, and that is why we are here. If this is not done properly, we would certainly need a committee of independent experts. As I said, I think the solution is there, but as we have seen too often, the Conservative government cuts corners and we end up with something like this.

I will now take questions.

Mr. Speaker, yet again, I listened with great interest to my Conservative colleague's speech.

I have a more specific question for him. I agree that a data breach notification requirement is essential. I even proposed a similar measure in my Bill C-475, which the member voted against.

In my model, I proposed an objective mechanism that would not make organizations themselves responsible for determining whether the data breach or leak was significant enough to notify the client concerned.

What Bill S-4 proposes is really subjective. It would have the organization make its own determination. Many lawyers, experts and academics have found this approach problematic. Does my colleague think that this approach is problematic?

Mr. Speaker, I would like to thank the hon. member for Terrebonne—Blainville, who is our digital issues critic.

I would like to congratulate the official opposition for taking initiative and appointing a digital issues critic. We understand the complexity of these issues, which require an approach that balances rapid technological advances and the protection of privacy.

Her bill, Bill C-475, was a commendable initiative. The legislative summary that was prepared stated that the bill aimed to improve the protection of private information. We have to wonder why the government did not support such a worthwhile initiative.

We continue to point out that the government sometimes lacks a balanced approach. It sometimes freely grants the authority to monitor people without a warrant.

Mr. Speaker, I would remind the House that we are debating a motion to refer Bill S-4 to committee before it passes second reading.

The member who just spoke talked about all the good aspects of Bill S-4, and yet he voted against my Bill C-475, which proposed more or less the same things, if not better protections for Canadians.

However, my question is more about the Supreme Court decision regarding a provision of this bill related to personal data. We do not know whether the Conservatives plan to change this provision during the study in committee.

Is the member who just spoke afraid that this bill will be considered unconstitutional? If not, why does he not want to consider the Supreme Court's decision in the Spencer case in relation to this bill?

Mr. Speaker, I am happy to rise in the House today to speak to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act. As members know, today's debate turns not precisely on Bill S-4 but on a motion to refer the bill to committee before second reading.

The concerns that I will raise with respect to the bill itself, which go as far as to challenge the constitutionality of the bill, would likely be fatal to the bill at second reading, but we need not concern ourselves with that today. We need not arrive at a conclusion about how fatal these flaws are or how injurious they are to the bill.

The motion before us today would allow us to visit the scope and principle of the bill at committee and make, as required, amendments to those very principles and scope of the bill.

Today, I would argue that this motion warrants support, so that we have the flexibility to properly study, examine and propose amendments to the bill at committee before the principle and scope are set.

Let me set out a few reasons why this is particularly important in these circumstances and relating to this particular legislation.

First, let me address the issue of public opinion that sets the context in which this bill and more broadly the issue of privacy concerns exist.

According to a survey of Canadians on issues related to privacy protection conducted last year, 70% of Canadians feel less protected than they did 10 years ago; only 13% of Canadians believe that companies take their privacy seriously; 97% of Canadians say they would like organizations to let them know when breaches of personal information actually occur; 80% of Canadians say they would like the stiffest possible penalties to protect their personal information; and 91% of Canadian respondents were very or extremely concerned about the protection of privacy.

The current government cannot absolve itself from contributing to this level of public concern about privacy issues. It is not just a matter of legislative lethargy; that is, it is not just about the fact that we are well past the five year mark for the conduct of a mandatory review of the Personal Information Protection and Electronic Documents Act, an act that is by now well behind international standards and has failed to keep up with technological advancements in this digital age.

Part of the issue here is that the current government has itself repeatedly demonstrated insufficient care for the personal privacy of Canadians through its own conduct. I would point to the fact that in one year alone, under the current Prime Minister's watch, government agencies secretly made more than 1.2 million requests to telecommunications companies for personal information, without warrant or proper oversight.

It is a government with a seemingly insatiable appetite and perhaps an addiction to Canadians' personal information. It is a government that needs to be constrained by effective legislation that protects the privacy and personal information of Canadians. It is a government that has no credibility on this subject matter.

This is evident in the legislation that the Conservatives have defeated in this House. In 2012, our NDP digital issues critic, my colleague from Terrebonne—Blainville, put forward Bill C-475, a bill to amend the Personal Information Protection and Electronic Documents Act. It would have applied similar online data protection standards that exist in Quebec's personal information protection act. For example, Bill C-475 would have given the Office of the Privacy Commissioner of Canada the power to issue orders following an investigation. The Conservatives defeated that bill at second reading. They also defeated our NDP opposition day motion on May 5 last year. That motion simply called on the government to close loopholes in existing legislation that currently allowed the sharing of personal information without warrant.

The current government's disregard for private and personal information is also evident by the legislation that it has brought forward.

Bill C-13, the government's cyberbullying law, includes lawful access provisions that would expand warrantless disclosure of information to law enforcement by giving immunity from any liability for companies that hold the information of Canadians to disclose it without a warrant. This makes it more likely that companies would hand over information without a warrant as there are no risks that they would face criminal or civil penalties for such conduct.

There is a thread here that runs through the government's own efforts to access the personal and private information of Canadians through to their conduct and voting record in this place. It goes against the interests and concerns of Canadians and denies the wishes of Canadians for greater protection of their personal and private information.

In other words, the issue before us goes to the principles underlying this bill. They need to be examined and amended at committee. For example, while Bill S-4 would make it mandatory to declare the loss or breach of personal information for the organizations in the private sector and penalize organizations that do not fulfill this obligation, the proposed criteria for mandatory disclosure remains subjective. It would allow the organizations themselves to assess whether “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”.

More and most problematically still, Bill S-4 would add exceptions under which personal information may be collected, used or disclosed without an individual's consent. The bill would make it easier for organizations to share personal information with each other without the consent of individuals if the organizations are engaged in a process leading to a “prospective” business transaction. In other words, under certain circumstances, the bill allows personal information of one organization's clients to be shared with another organization without the consent or knowledge of those individuals.

Here we run into some significant problems with this bill. The amendments proposed contradict the very foundation of the act they seek to amend and serve to defeat what the Supreme Court called in R. v. Spencer the act's “general prohibition on the disclosure of personal information without consent”. As the Supreme Court said in that recent decision, “PIPEDA is a statute whose purpose is to increase the protection of personal information”.

The Supreme Court, in R. v. Spencer, got to the heart of the issue here, understanding what the government has failed to understand about the issue of informational privacy in the digital age. It is worth quoting at length here. It stated:

Informational privacy is often equated with secrecy or confidentiality, and also includes the related but wider notion of control over, access to and use of information. However, particularly important in the context of Internet usage is the understanding of privacy as anonymity. The identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information. Subscriber information, by tending to link particular kinds of information to identifiable individuals may implicate privacy interests relating to an individual’s identity as the source, possessor or user of that information. Some degree of anonymity is a feature of much Internet activity and depending on the totality of the circumstances, anonymity may be the foundation of a privacy interest that engages constitutional protection against unreasonable search and seizure.

So, from subscriber information, the Supreme Court has connected that information through to search and seizure.

We have at least before us a major concern with the principles of this act, but seemingly too a bill that is simply unconstitutional. Leaving aside for the moment this latter issue, let me suggest by way of conclusion that if there is something in Bill S-4 that is salvageable, it can only be so if this bill moves to committee before this House sets in concrete the principles and scope of this bill, and limits the kinds of amendments that can arise out of committee post second reading.

Mr. Speaker, I will begin by refuting the claim by the member regarding New Democrats secretly harbouring these strange desires to become senators. For the entire 50-year history of the New Democratic Party, we have called for abolishment of the Senate.

We believe in Canadian society and we do not need to have a House for people who consider themselves above the rest of us, which is often what has happened. Certainly there are currently cases before the courts regarding Mike Duffy, Pamela Wallin, Patrick Brazeau, and Mac Harb. This is certainly not a group that any New Democrat wants to become a part of. It flies in the face of democracy.

As my colleague for Nickel Belt pointed out, if the bill is so important, why is it coming from the Senate rather than the government?

The Conservatives have formed government for nearly eight years now, and they are finally getting to this matter. Hacking is not new. Invasion of privacy is not new. Why were these changes not brought before us years ago?

I would also like to address the fact that the bill is being referred to committee before second reading. I actually applaud the government for this move, but my next question is to ask why this did not happen before. Why was this approach not taken regarding electoral reform? Why was this approach not taken regarding some first nations' issues that have come before the House so that we would have a broader scope of study within committee and an attempt at working together?

When the parliamentary secretary first rose to speak on the bill, he said that bringing the bill to committee before second reading would help to ensure that the best bill would be brought forward. I think it demonstrates that perhaps the current government is not always interested in bringing the best bill forward, because we are three years in, and this is the first time that the Conservatives have chosen this approach.

We have had numerous instances of bills being brought forward by the government and then being overturned by the Supreme Court of Canada. We potentially could have prevented that from happening had we taken this approach with other bills or had the government listened to opposition amendments and suggestions to make sure that the bills conformed with the law.

Traditionally, of course, adoption at second reading amounts to approval of the principle of the bill by the House. This can often restrict the committee's ability to make changes and amendments, which is something we would avoid with this bill. I hope that the industry committee takes the proper amount of time to study this issue before referring it back to the House. I certainly think the capacity is within the industry committee to do so. We have an opportunity to fix the parts of the bill before us that are lacking.

With regard to the rationale given by the member across the way for some intrusions into privacy, it is not so cut and dried. It is not a black-and-white issue. These are issues that need to be explored further, and the committee setting is the appropriate place to do that. The question is, will that in fact happen?

Most of us are surprised and a little confused as to why the government is taking this approach. The Conservatives have had many opportunities to use this approach in the past, but have never chosen to. It will be very interesting to follow the proceedings in the industry committee to see where this goes. Is it because government members want to make substantive changes that their brethren in the Senate missed, avoided, or did not put in?

Perhaps that is why the Conservatives are bringing it forward, but only time will tell. One of the very important lessons I have learned here is not to believe it until it happens, which can be said of so many different things we do in the House. There are a lot of rumours out there, but it would be good to try to stick to fact as much as possible.

Since the committee will have the opportunity to properly consider and make necessary changes to the bill, we are supporting the motion to send the bill back to committee. I think it makes a lot of sense, and it is an approach that should be used more often.

That this was done without a warrant raises questions. I would hate for court cases to be moving forward in which evidence might be thrown out because warrants were not obtained. The result would be an increased cost for the judicial procedure, and there is the potential as well for letting some criminals off the hook when they should be facing prosecution. We definitely need to beef up those aspects.

There is a provision within the bill that would make it easier for companies to share personal information without warrant or consent from clients and with no proper oversight mechanisms in place. Following a recent decision from the Supreme Court of Canada, this provision will most likely be considered unconstitutional.

The government must respect the Supreme Court ruling by withdrawing all clauses relating to warrantless disclosure of personal information from the bill. That is a very reasonable position. Canadians would expect that if law enforcement agencies are seeking people's personal information, they would have to follow a process, and obtaining warrants is a very important part of our system. It has to be proven that the information is needed before a warrant is obtained. That is a minimum standard when seeking this information. Currently, with these warrantless provisions, requests can be made without any oversight. That is troubling to many Canadians who are concerned about their privacy.

We are also concerned about many of the negative consequences that certain provisions in this bill might provide.

It is also interesting to note that the bill was largely inspired by Bill C-475, which was tabled in 2012 by my colleague, the member for Terrebonne—Blainville. Rather than wasting time and avoiding creating better protections for Canadians, the Conservatives should have simply supported the NDP's bill, which would have done more to protect Canadians' privacy.

Privacy has been a thorny, low-priority issue for the Conservatives, who have been incapable of adequately protecting Canadians' privacy. Their own departments have been responsible for allowing thousands of breaches of personal information while citing privacy considerations and decrying heavy-handed government.

The Minister of Industry argued that the long form census was intrusive to Canadians' privacy, and it was eliminated. However, the government sees nothing wrong with invading Canadians' private information without a warrant and without telling them. It is bizarre that these things would be happening and that nobody knows about them until it is too late.

Now I look forward to questions from colleagues.

Mr. Speaker, in the digital age, there are many new risks. I offer a computer security course for seniors at a seniors centre in my riding. This helps me to see just how concerned people are about the risks they face in the digital age. These individuals do not necessarily know what happens when they enter their personal information into the vortex of Facebook, Google or any other network. People often think about the two examples that I just mentioned, but this goes even further than that. Phishing emails are often sent to people who do not necessarily know how to distinguish between a phishing email and a legitimate email.

I want to share some key figures that show just how concerned people are about this issue. A total of 70% of Canadians feel less protected than they did 10 years ago, 97% of Canadians would like organizations to inform them in the event of a data breach, and 91% of Canadians say that they are concerned or extremely concerned about the protection of personal information. That is huge.

The NDP has taken action on this file. We introduced Bill C-475. On one opposition day, we moved a motion to close the gaps in the Personal Information Protection and Electronic Documents Act and to enhance the transparency of the parallel system for information sharing between Internet service providers and government agencies. We took action. Unfortunately, the government took an extremely long time to propose amendments to the Personal Information Protection and Electronic Documents Act and debate them. We are happy to be doing this today. Unfortunately, this is not an ideal bill. It needs to be improved.

Mr. Speaker, the motion we are looking at today is unique in that it is the first of its kind in Parliament.

We have to wonder whether it is worth sending this bill to committee before it is passed at second reading, since that is not in keeping with the usual legislative process. While I have numerous concerns about Bill S-4, I still plan on supporting today's motion because I think that we can work together to improve the bill. However, that does not mean that I support the bill, and I must make that distinction.

As parliamentarians, we have been elected to work together and find effective solutions. That is what I am hoping to do today. I want to reach out to the government in the hopes of improving this bill because some of the elements are a step in the right direction.

As the hon. member for Chicoutimi—Le Fjord said, I introduced Bill C-475 in the House. That bill was designed to make significant changes to the Personal Information Protection and Electronic Documents Act, PIPEDA, to ensure it reflected the reality of the digital era. Unfortunately, the Conservatives voted against it. There could have been better protections in place, but we were unable to work together. This time around, I hope that will be possible.

It is extremely important that PIPEDA be updated, since it has not been updated since the very first iPod was introduced. Technology has evolved. Facebook did not even exist yet at the time. Things have really changed, and the law must reflect the current reality. This bill is a good first step, but it does not go far enough.

For instance, it is important to introduce a mandatory system for notifying users of data losses and data breaches. However, the model proposed by the government is subjective: organizations can decide whether the data breach is significant enough to report. In some situations, these organizations will not have the best means or knowledge to do this, especially the really small organizations. Is it really in their interest to disclose such data breaches? Probably not.

Bill C-475 proposed a model that was objective. That is one aspect that must absolutely be improved in order to better protect Canadians' privacy, and I hope this change can be made in committee.

It is important to implement a system that will ensure greater compliance with PIPEDA. With international digital mega-corporations in the picture, our laws are too frequently broken because there are currently no penalties. That is why we need a system of penalties to enforce corporate compliance with PIPEDA and Canadian privacy laws.

Unfortunately, Bill S-4 does not go far enough in this respect. It creates the option of putting together a committee that will act in good faith. Sometimes everyone acts in good faith and is happy, but that is not always how things work.

The commissioner has to be able to issue orders earlier in the process, but that is not what the government has proposed. That is what I proposed in Bill C-475, and that is another change that will have to be made to Bill S-4 before we can support it.

However, what really bothers me about this bill is the provision that would allow organizations to share personal information without a warrant and without the consent of the individual concerned. That is a huge problem. Even though this bill is called the digital privacy act, it contains a provision that could really interfere with the protection of privacy. I find that deeply contradictory.

It is also extremely important to point out that between the time that this bill was drafted and the debate today, the Supreme Court reiterated in its ruling that information such as data from Internet service providers on their clients, including their IP addresses, email addresses, names, telephone numbers, and so forth, are personal information and cannot be obtained without a warrant. Obviously, I am paraphrasing, but that is more or less what the Supreme Court ruled.

I have major reservations about the constitutionality of this provision of the bill. I asked the government to reassess it and withdraw it. Unfortunately, my request was not favourably received.

I think we could work together during review in committee on withdrawing this provision, which may violate the Canadian Constitution. I hope that is why the Conservatives want to send this bill to committee.

Obviously this is a Senate bill. During review in committee, a number of witnesses shared their concerns over this very provision. The Privacy Commissioner said the following in a brief:

Allowing such disclosures to prevent potential fraud [as provided for in clauses 7(3)(a.1) and 7(3)(a.2)] may open the door to widespread disclosures and routine sharing of personal information among organizations on the grounds that this information might be useful to prevent future fraud.

Indeed, the government wants to protect personal information, but allowing access to that information without a warrant, without consent, without any judicial oversight and without transparency is very problematic.

On many occasions, the government has used PIPEDA and its loopholes to call on Internet service providers and ask for Canadians' personal information. Why? We do not know. We do not even know exactly how many requests have been made, because this information is not available to the public. However, based on what the Privacy Commissioner revealed, we know that in a single year, government agencies made at least 1.2 million requests to Internet service providers to obtain personal information about their customers. That is a huge problem.

The government could have taken this opportunity to truly protect Canadians' privacy and to fix the loopholes in PIPEDA that allow this kind of information to be transmitted without legal oversight, without consent and without any transparency. It could have done that. I hope it will do so during the study in committee. That is very important. I am just making a suggestion.

We are debating the motion today. We are prepared to agree to study this bill before it passes at second reading, as is usually the case. I hope that this will be a gesture of good faith, and that the Conservatives will take this opportunity to fix the loopholes in PIPEDA and to eliminate the clause allowing organizations to share information without a warrant. We cannot support a bill that contains provisions that violate Canadians' privacy.

Mr. Speaker, I thank the two previous speakers.

My colleague from Terrebonne—Blainville had some good questions for the parliamentary secretary. She even introduced Bill C-475, which proposed a number of provisions that can be found in Bill S-4.

Why did the Conservatives not vote in favour of the bill introduced by my colleague from Terrebonne—Blainville, even though several of the provisions in her bill are in Bill S-4, which they want to pass?

Mr. Speaker, I would like to thank my Liberal colleague for his speech, and especially for his comments regarding the minister's response. Many questions were asked by the NDP and the Liberals in question period and he always answered that Canadians were not targeted.

I do not know to what extent MPs understand how the collection of metadata works. Metadata about 100 million people in one room can be collected without targeting anyone. However, information has been collected that could reveal many things about a particular person.

The answer given leads us to believe that the government is not very concerned about protecting Canadians' privacy. We have seen that on a number of occasions. For example, the Conservatives voted against my Bill C-475 on personal information protection. Furthermore, they have failed to put in place transparency mechanisms for CSEC.

Consequently, what are the risks of casting a large net to collect metadata about so many Canadians? What risks does this pose to Canadians' privacy?

Mr. Speaker, I thank my colleague from Ottawa—Vanier for his question.

He touched on a very important aspect of today's debate, which is the right to privacy and the fact that the Conservative government is dragging its feet in this debate and has not proposed anything meaningful for years.

As I mentioned, my colleague from Terrebonne—Blainville introduced Bill C-475 on privacy protection. I know that my colleague opposite voted in favour of this bill, which proposed greater structure and some privacy safeguards.

We on this side of the House have noticed a flagrant lack of privacy regulations, and the fundamental rights of freedom and national security are being violated.

I find it sad to see that the Conservatives on the other side of the House do not want to create all-party structures and that they are trying to shut down the debate on the right to privacy.

Mr. Speaker, I am pleased to rise today to speak to the motion moved by the second opposition party. The motion reads as follows:

That the House express its deep concern over reports that Communications Security Establishment Canada (CSEC) has been actively and illegally monitoring Canadians and call on the government to immediately order CSEC to cease all such activities and increase proper oversight of CSEC, through the establishment of a National Security Committee of Parliamentarians as laid out in Bill C-551, An Act to establish the National Security Committee of Parliamentarians.

How did we come to the point where we are debating such a motion in the House? It all started on June 10, 2013, when the previous minister of national defence approved a CSEC program to monitor the telephone and Internet activities of Canadians by collecting metadata. The program was first created by the Liberals in 2005, but was later suspended because of the concerns raised by the organization responsible for overseeing CSEC.

The minister at the time denied that statement. The law is very clear in that regard: CSEC does not have the right to spy on Canadians. The legislation that sets out its mandate explicitly states that its activities:

273.64(2)(a) shall not be directed at Canadians or any person in Canada; and

(b) shall be subject to measures to protect the privacy...in the use and retention of intercepted information.

There is only one exception to that provision. If the Minister of National Defence authorizes it, CSEC can get around that provision, which happened 78 times between 2002 and 2012.

In June 2013, the minister said that he had authorized nothing of the sort. However, in August 2013, Justice Robert Décary indicated in his annual report that Canadians had been the target of some spying activities. Unfortunately, the saga does not end there. In the months that followed, numerous documents revealed that CSEC had been spying illegally on Canadians. The latest revelations are probably the most troubling. On January 30, 2014, CBC uncovered information indicating that CSEC was able to track the movements of passengers at Canadian airports who used the free Wi-Fi networks on their mobile devices, including phones, tablets and computers. Not only did CSEC track them in the airport, but it continued spying on their devices for several weeks.

Those kinds of discoveries about CSEC's actions are alarming. What happened to abiding by the law and upholding the public trust in our intelligence systems? What happens when the system is broken and the public becomes distrustful?

That is why the NDP will be supporting today's motion. We need to take action before this problem gets even worse. However, I must point out that there are some significant flaws in this motion, particularly in relation to some of the provisions in Bill C-551.

Bill C-551 proposes to establish a committee made up of members of the House of Commons and senators who would be mandated to review national security activities of federal government departments and agencies. First, this committee would report to the Prime Minister, and he would be entitled to hide information from Parliament. It is crucial that the Prime Minister not be able to conceal national security information from parliamentarians under Bill C-551.

Second, this bill would give unelected senators a seat on the review committee. Honestly, I am not entirely sure where the Liberals stand, with their Liberal senators who are sitting outside of the caucus, or their independent Liberal senators, or their Liberal sympathizers who happen, by sheer coincidence, to be senators. It is all rather confusing. The NDP feels that only individuals duly elected by Canadians should be part of the committee.

That is why, last October, my colleague from St. John's East moved a motion to that effect. The motion reads as follows:

That (a) a special committee on security and intelligence oversight be appointed to study and make recommendations with respect to the appropriate method of parliamentary oversight of Canadian government policies, regulations, and activities in the area of intelligence, including those of all departments, agencies, and review bodies, civilian and military, involved in the collection, analysis, and dissemination of intelligence for the purpose of Canada’s national security;

(b) in the course of its work the committee should consider the methods of oversight adopted by other countries and their experiences and make recommendations appropriate to Canada's unique circumstances;

(c) the Committee be composed of 12 members, 7 from the Conservative Party, 4 from the New Democratic Party, and 1 from the Liberal Party, to be named following the usual consultations with the Whips and filed with the Clerk of the House...;

The committee's makeup would reflect that of the House. The motion also provided that:

(i) the special committee report its findings and recommendations to the House no later than May 30, 2014.

Canada is not the only country to consider parliamentary oversight of national security issues. The United Kingdom, Australia and New Zealand all have well-established systems that enable parliamentarians to ask the government for reports on national security issues. That is not the case in Canada. The only thing this Conservative Prime Minister has created is a cabinet committee on national security whose job is to supervise Canadian national security activities. However, this is a cabinet committee, not a parliamentary one, so it is not accountable to anyone.

If the Conservatives had really taken national security issues, protection of Canadians' privacy and problems related to CSEC disclosures seriously, they would have paid attention to this motion as soon as it was presented in the House, and we would already have a committee of elected representatives in place to deal with this kind of situation. Instead, the government is letting the problem persist and shows no interest in managing it. Worse still, in a recent report, the Privacy Commissioner suggested that privacy protection was not a priority for this government. That is shameful.

People have become distrustful. About 80% of Canadians are now connected to the Internet. People spend an average of 41 hours on the Internet a month. In terms of Internet use, we rank second in the world. In addition, the digital economy is growing fast. In 2012, Canadians spent $22.3 billion online. They already have serious doubts about how well their privacy is protected. Some 13% of people believe that their information is well protected on the Internet. If people can no longer trust that their own government will not spy on them, what or who can they turn to?

My colleague from Terrebonne—Blainville had also introduced an interesting bill on this, Bill C-475 on privacy protection. Canadian privacy laws have not kept pace with rapidly changing technologies, which is rather alarming. Those laws have not been updated since the first generation of iPods.

The purpose of Bill C-475 was to correct the situation by updating these laws and taking personal information protection seriously. We have the right to know when our personal information is gathered, used or communicated in any type of digital format. We have the right to feel safe. In that regard, this bill gave Canada's Privacy Commissioner increased law enforcement powers and made it mandatory to inform the persons concerned of any data leaks that might affect their privacy.

Canadians should not have to worry about the confidentiality of their personal information online. We must enhance our protection measures for children, for seniors and for all Canadians.

The NDP takes privacy protection and national security very seriously. We must protect the integrity of our country and ensure that people are safe. It is a matter of maintaining a delicate balance between liberty and security. National security is a top priority.

The government has a responsibility to make and apply policies to protect the country and its citizens, and not break its own laws and spy on the public. The fundamental problem with this government is the lack of openness and counterbalance. With our current institutional structure, we must make decisions for the common good and be more transparent to ensure that the right decisions are being made.

A number of the questions we have asked the Conservative government remain unanswered. Who authorized spying on Canadians through free Wi-Fi at a Canadian airport? Was the minister aware of this metadata collection program? Were these data saved? More worrisome yet, does this spying program still exist?

We sincerely hope that the Conservative government will go public with its legal reasoning and rationale behind CSEC's metadata collection operations. The Conservatives' vague answers will not do. We need clear answers.

I would like to inform the House that, pursuant to Standing Order 94, the divisions on Bill C-475, An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), and Bill C-513, An Act to promote and strengthen the Canadian retirement income system, stand deferred until Wednesday, January 29, 2014, immediately before the time provided for private members' business.

Mr. Speaker, I wish to present a petition signed by many of my constituents. The petitioners are calling on all members of the House of Commons to support Bill C-475.

They are very worried about the fact that the Personal Information Protection and Electronic Documents Act has not been updated since 2000.

Given that technology has changed dramatically since then, the legislation no longer adequately protects Canadians against the risks that are present in the digital age.

Mr. Speaker, I am happy to respond to comments made by the hon. member for Terrebonne—Blainville regarding Bell Canada's new privacy policies.

The privacy of Canadians is of utmost importance and our government places high priority on protecting their personal information. Canada has strong privacy protections in place and these protections work for the digital age.

In fact, the privacy rules already contained in the Personal Information Protection and Electronic Documents Act, PIPEDA, address the inappropriate and indiscriminate collection of personal information by businesses. Companies cannot simply siphon information and decide to do whatever they want with it. They cannot force their customer to turn over personal information that has nothing to do with the product or services they are providing. They cannot sell information about their customer to whomever they want.

PIPEDA empowers individuals by giving them control over what can be done with their information. It also gives the Privacy Commissioner the power to ensure companies are following the rules, and this is exactly what happens now.

The Privacy Commissioner has already confirmed that she has launched an investigation into Bell Canada's proposed activities. Any Canadian who believes their privacy has been violated should raise these concerns with the commissioner.

I fail to understand why the opposition does not share my trust and confidence in the commissioner's ability to conduct a thorough and fair investigation. Instead, the opposition seems intent on using the situation for political gain and to advance a flawed and incomplete bill.

Our government is prepared to take action to protect the privacy of minors. Bill C-475 is silent on this.

Our government is prepared to make companies accountable for breaches to private data under their control. Bill C-475 would bury the commissioner in paper.

Updates to PIPEDA must provide meaningful improvement to the protection of individual privacy, while encouraging the growth of secure and trustworthy modern commerce. Bill C-475 does no such thing.

Mr. Speaker, Canadians and Quebeckers are becoming more and more concerned about their privacy, but the Conservatives seem less and less committed to updating our privacy laws.

My Bill C-475 addresses Canadians' concerns by bringing the Personal Information Protection and Electronic Documents Act into the digital age with reasonable, balanced measures that have been supported by a number of experts, consumer protection groups and businesses. Unfortunately, the Conservatives continue to oppose my bill for no reason.

For example, the Conservatives say that I did not do enough consultation before I introduced Bill C-475. However, while the bill was being drafted, I held dozens of consultations with experts, academics, consumer protection groups and businesses subject to the PIPEDA.

Furthermore, Bill C-475 is the result of recommendations made by several witnesses at the Standing Committee on Access to Information, Privacy and Ethics, during the parliamentary study on social media and privacy.

In short, I consulted all of the major Canadian companies affected by this bill, the foremost experts in Canada, as well as the organizations most involved in consumer protection and civil rights protection.

The Conservatives are saying that Bill C-475 does not fall within the PIPEDA framework. In fact, Bill C-475 simply increases the commissioner's powers if an organization does not comply with the law and decides not to follow the commissioner's orders. It can function perfectly well within the PIPEDA framework.

In addition, the Conservatives are wondering why the fines apply only to organizations that do not follow the commissioner's orders. That is precisely the strong point of my bill. It is very balanced and does not try to further burden businesses. Simply put, if an organization amends its practices that do not comply with the law, it will not have to pay a fine.

We are now in the age of big data. Personal data is found all over the Web and they are priceless. We need to ensure that they are protected. With the age of big data came the rise of Internet megacorporations. According to the Privacy Commissioner, it is increasingly difficult to ensure compliance with the PIPEDA and compel companies to honour it.

The measures contained in Bill C-475 will encourage companies to adequately protect the privacy of Canadians, because if they do not, there will be real consequences. If the government really wants to protect consumers, as it promised to do in the throne speech, it must make a serious commitment to privacy.

Bill C-475 builds on this commitment to consumers by creating a greater incentive for companies to respect our Canadian privacy legislation.

It is high time that the Conservatives take the protection of privacy seriously. It is time they respond to the concerns of Canadians and support Bill C-475 instead of defending themselves with baseless counter-arguments and spreading scurrilous allegations about this initiative.

Mr. Speaker, I have the honour today to present a petition signed by people in my riding in support of Bill C-475 to modernize the Personal Information Protection and Electronic Documents Act so that it better protects Canadians in the digital age.

Mr. Speaker, he completely failed to address the issue raised by my colleague. Bell is going to keep tabs on its customers and the government is going to just sit back and watch. This is a major failure for a party that just gave a so-called pro-consumer throne speech.

This type of spying must stop. There are simple and practical solutions to this problem, solutions that are found in the NDP's Bill C-475.

Will the Conservatives support Bell keeping tabs on its customers or will they support my bill?

Mr. Speaker, in her report released yesterday, the Privacy Commissioner was clear: Canada has fallen behind when it comes to privacy matters.

The law is quite simply archaic, because it was designed before Internet fraud, cyberbullying and the theft of personal information, which now dominate the headlines.

The NDP introduced Bill C-475, which seeks to bring the Privacy Act into the digital age.

Why not support these practical solutions?

Mr. Speaker, today I am presenting a petition from people in my riding who support my bill, Bill C-475, which is designed to better protect the personal information that Canadians put online.

Those who signed the petition lament the fact that the laws protecting our personal information online have not been updated since the first-generation iPod was released. They would like to see my bill passed in the House.

Mr. Speaker, I would like to point out to the member that the NDP has actually drafted legislation that would help to address privacy breaches. The member for Terrebonne—Blainville has introduced Bill C-475. This bill would create mandatory data breach reporting in the event that a data breach causes a risk of harm to an individual. The bill would also increase the enforcement powers of the Office of the Privacy Commissioner to ensure that organizations comply with PIPEDA when handling the personal information of Canadians.

This kind of protection has long been called for by key experts and citizens groups. It is time to act to meet the challenges of the digital age, not just for today but tomorrow as well. Bill C-475 is scheduled for debate at the end of June. I would like to know if the member opposite will support this legislation that will better protect the privacy rights of Canadians.

Mr. Speaker, it is a pleasure to rise this evening to address this bill. I have never had the honour of sitting on the statutory instruments regulations committee. It sounds as if it might be a very interesting committee. I do find it most fascinating that the government has chosen to use this particular bill, given that we are allocated four or five hours, which is probably more hours of debate than for many other pieces of legislation. However, at the end of the day, it is going to be interesting. I suspect that we might see differing opinions. We in the Liberal Party have a great deal of concern with regard to this bill. We cannot see ourselves supporting it at this time, and we will have to wait and see what happens at committee stage and see if the government is going to be able to address the issues.

We were talking about a different bill, Bill C-475, during private members' business, and it dealt with personal information. A government member stood up and made a comment on how wonderful it would be to have Bill C-12 debated, given that all sides of the House seemed to be supportive of Bill C-12. The member made the suggestion that he would even be prepared to see that bill debated right away. Maybe if the Conservatives recognize the importance of that bill, they might also want to call that; the last time it was brought before the House being back in September 2011. We will have to wait and see.

Another concern that was raised was in the form of questions that I asked both Conservative speakers in regard to the whole issue of the French language. I come from the province of Manitoba, and the French language issue in terms of laws and regulations was a critically important ruling that came from the Supreme Court of Canada. The ruling reflected on many of Manitoba's laws and, because of not having appropriate translation, the court had virtually given Manitoba a time schedule to pass all sorts of other regulations and laws in order to keep them in effect. It gave us a bit of a sunset clause in terms of needing to pass this in order to comply. Otherwise, we would have had a series of laws, whether provincial legislation or regulation, that would have become void. Therefore, we take the issue very seriously in terms of some of the things, and that is the reason I posed the questions.

In looking at Bill S-12, there are a couple of things that are really important to note. Quite often, the intent might be clear. Individuals, whether members of Parliament or those assisting in trying to create legislation or regulation, will be fairly clear on what it is they are trying to accomplish, the actual intent. The real challenge is to try to take that intent that is being expressed and put it into words, and in our case also to ensure that the translation is in essence saying the same thing whether in English or in French. That is a very important point.

As an example, one of the first issues that came up was related to Air Canada. It was an important issue, through which I suspect many individuals who might be listening in on the debate might get a better sense of the importance of converting intent into appropriate words. I recall the Air Canada Public Participation Act that was brought in a number of years ago. There is absolutely no doubt that, if we look at the debates and some of the discussions that took place in the committee, we would find that the intent that was being spoken was that communities like Winnipeg, Mississauga and Montreal would be guaranteed their overhaul maintenance positions.

This literally translated into thousands of jobs in Winnipeg, hundreds of jobs that were in essence guaranteed in that law. That was the intent.

If we read the legislation that is there today, I think most Canadians, in reading it, would come to the same conclusion to which I came. I raised that issue shortly after being elected back in December 2011. When I raised it, it was to challenge the government. It was to tell the Prime Minister that we had a law that said these overhaul maintenance bases were supposed to be guaranteed. Air Canada was legally obligated to maintain those bases.

The Prime Minister and the government responded by saying that this was not necessarily their interpretation. Apparently, the government found a lawyer somewhere who said that this was not the case, that there was no legal obligation.

It did not matter what we attempted, whether it was through postcards or petitions. Many different stakeholders and individuals read the law and said that the law was pretty clear.

I raise that because at the end of the day is it very important. When we think of a regulation or a law, we often talk about what we are hoping to achieve by passing it, but what is written down on that piece of paper and translated is what counts.

As legislators, we have to take that responsibility very seriously. In recognizing what this legislation is doing, it is offloading a great deal of responsibility. I know the record will clearly demonstrate that this has not necessarily been a government that wants to take responsibility. By allowing this legislation to pass as it is, we need to recognize that there will be more laws being put into place with less scrutiny from the House of Commons.

That is one of the effects that the passage of this bill will have. We need to be very clear on that point.

Another profound impact the legislation will have is in regard to the whole idea of incorporation by reference and what will happen in regard to that secondary language, whether it happens to be English or French. We are in a bilingual nation and there is an expectation. I will provide a little more comment on that in a few minutes.

The legislative summary that was provided by the Library of Parliament had some interesting information that is worth expressing. One point deals with the amount of regulation versus laws in terms of numbers of pages. It is interesting to note, and this is a quote from the parliamentary library, “There are, at the federal level alone, approximately 3,000 regulations comprising over 30,000 pages”. Compare that to somewhere in the neighbourhood of 450 statutes, which comprise roughly 13,000 pages.

Furthermore, departments and agencies submit to the regulations section, on average, about 1,000 draft regulations each year, whereas Parliament enacts about 80 bills during the same period. The executive therefore plays a major role in setting the rules of law that apply to Canadian citizens.

What we will find is that the number of laws in comparison to regulations is decreasing as we rely more on regulations. When we go into or finish second reading and then it goes to committee stage, how often do we hear from government representatives or policy analysts who say “this is what the clause says and further explanation will be provided via regulation?” We hear a lot of that.

Why then should we be concerned? We have to be careful that we recognize the importance of laws versus regulations and the incorporation of references into regulations.

We start off with our Constitution and our Charter of Rights. These are things that no one would question. We then go on to laws that would be passed in the House of Commons, then to regulations. Finally, we would go to the incorporation of reference.

Look at each stage and how difficult it is to change the Constitution. We do not see too much public will or interest in changing the Constitution. In terms of legislation, the same principle applies. There is a process of changing legislation. There is first reading, second reading, committee, third reading, the Senate and finally royal assent. There is a great deal of scrutiny that takes place.

What about regulations? There is a legal examination and registration that have to take place. Ultimately, publication takes place in the Canada Gazette.

We can see the difference between them. Each level has a different sense of accountability or process that we have to follow. If we take just the one component, the legal examination, the examination for the passage of legislation will come through here. There are all sorts of responsibilities that all members, particularly critics, caucuses, vested interest groups and stakeholders of a wide variety, have in ensuring there is some form of due diligence and a sense of accountability.

What about the regulation? When it comes to legal examination, we know there is an obligation for the Clerk of the Privy Council. There have been four things that were cited again, dealing specifically with this bill, that came from the Library of Parliament. Those four things in passing or ensuring that there is some form of legal examination of that regulation.

The first is, “(a) it is authorized by the statute pursuant to which it is to be made”. Another way of saying it is that if we want to change or pass a regulation, we want to ensure it is in compliance with the legislation or a current law that has been passed by the House of Commons.

The second is, “(b) it does not constitute an unusual or unexpected use of the authority pursuant to which it is to be made”. That would be something that would obviously make a whole lot of sense. After all, it cannot override a law, like a law cannot override our Constitution.

The third is, “(c) it does not trespass unduly on existing rights and freedoms and is not, in any case, inconsistent with the purposes and provisions of the Canadian Charter of Rights and Freedoms and the Canadian Bill of Rights”. We are asking that the Clerk of the Privy Council, in consultation with others, ensure that it does not contradict some of those basic rights. Before, if it was a law, it would be something where members, and in particular the Minister of Justice, would play a much stronger role in ensuring the compliance in that regard.

The fourth is, “(d) the form and draftsmanship of the proposed regulations are in accordance with established standards”. This is something where one would expect our legislative counsel and others that assist us to ensure the wording was correct. That is why at the beginning I commented on the importance of wording, that in fact one can be very clear orally what the intent is, but we have to ensure that this intent is put into proper words because it is the wording that is of critical importance.

I would like to quote from the Library of Parliament because I believe it is stated quite well in terms of what specifically, when we think of regulations, is actually at stake in dealing with Bill S-12. I quote directly from the report that has been provided to us from the Library of Parliament. It states:

When Parliament confers a power to make regulations, the regulation-maker usually exercises this power by drafting the text of the regulation to be enacted. The regulation-maker may also decide that the contents of an existing document are what should be used in the regulation it intends to enact. One way to make the contents of such a document part of the text of the regulation would be to reproduce it word for word in the regulation. Alternatively, the regulation-maker can simply refer to the title of the document in the regulation. The contents of the document will then be said to be “incorporated by reference”. The legal effect of incorporation by reference is to write the words of the incorporated document into the regulation just as if it had actually been reproduced word for word. The incorporation by reference of an existing document is no more than a drafting technique, and a regulation-maker need not be granted any specific power in order to resort to this technique. This is referred to as “closed” or “static” incorporation by reference.

We need to be very careful with that. When we talk about international standards, what we are really saying is that incorporation by referencing says that we are going to take a third party standard, whether international, provincial or it does not even have to be a government agency. It could be any sort of a third party and it could be a one paragraph document or it could be a 500-page document.

I see my time has run out. Hopefully there will be a question and I will be able to conclude my comment on that aspect of it.

Before I begin, Mr. Speaker, I would like to remind the members opposite that Bill C-475 does not represent a comprehensive review of the Personal Information Protection and Electronic Documents Act, and for that reason, it cannot be compared with the government’s Bill C-12, which does in fact constitute a thorough review and is much broader in scope. Therefore I would invite the members to learn more about this bill before criticizing it.

I am especially pleased today to speak to this bill which was introduced by my colleague from Terrebonne—Blainville. Since being elected she has worked tirelessly on various issues related to the digital world. In particular, she fought against Bill C-30 and forced the Conservative government to kill its online spying bill. She also held public consultations on the North Shore on personal information protection as it relates to her bill.

Today, with Bill C-475, my colleague is calling for the Personal Information Protection and Electronic Documents Act to be modernized to take into account the new digital reality. It is hard to believe that this legislation has not been modernized since it was first passed 13 years ago in 2000. Back then, there were no iPods, smart phones, Facebook or Twitter, and I did not even have an email address. It is time for the government to blow the cobwebs away and modernize this legislation to better protect Canadians’ personal information.

The Personal Information Protection and Electronic Documents Act is based on the ombudsman model. The primary duty of the privacy commissioner is to investigate complaints concerning privacy breaches. The privacy commissioner has the power to investigate, to file complaints, to conduct audits and to publicly report on an organization’s personal information management practices. However, the act does not give the commissioner the power to make compliance orders, or in other words, to order organizations to amend their practices or face a fine if they fail to do so.

To clearly grasp the issue here, I would like to give a few examples that illustrate the need to give the Privacy Commissioner more powers. The commissioner recalled that in 2010, the retailer Staples had failed to delete all of the client data stored on devices such as laptops or USB hard drives that had been returned to their stores and were slated for resale. What is most disturbing is that this retailer had been investigated twice before and was still not complying with the commissioner’s orders.

Let us be honest here. The government created a watchdog who in essence has been muzzled. This watchdog does not have the power to enforce the act. This initiative by my colleague from Terrebonne—Blainville would give the Privacy Commissioner the means to do her job.

Another example is Google Street View, which collected personal information such as email addresses, emails, usernames, passwords, telephone numbers and street addresses. The commissioner found that this practice constituted a serious breach of Canadians’ right to privacy. In this instance, the outcome was a little more positive. Google appears to have accepted the recommendations of the commissioner, who observed that the company was on the right track to resolving these major problems.

I should also like to mention the Edmonton-based site Nexopia, which describes itself as the largest social networking site for young Canadians. The site has over 1.6 million registered users, 80% of whom live in Canada. Nexopia.com users create profiles, engage in blogging, create photo galleries and post articles, artwork, music, poems and videos. The problem is that Nexopia does not have any kind of system in place to block public searches of the profiles of young users, and the website does not allow users to shield their profile from the public. You can see the problem.

These facts are troubling, considering that young people are often careless when it comes to their personal information and that they are targeted by many companies and some offenders. The commissioner conducted a thorough investigation, found that this organization was not in compliance with the legislation in a number of areas and issued 24 recommendations.

Following the release of her report, the federal Privacy Commissioner was forced to ask the Federal Court to make an order compelling Nexopia to stop retaining personal information. Since this action was launched, Nexopia has changed hands, and we are still waiting for the new owner to follow up on all of the commissioner’s recommendations.

Bill C-475 introduced by my colleague attempts to resolve much of the problem by amending the Personal Information Protection and Electronic Documents Act in two ways. First, it would give the Privacy Commissioner enforcement powers, the power to order an organization that has failed to comply with the act to take the necessary steps to comply. Any organization that refused to take action within the timeframe set by the commissioner would risk a fine of up to $500,000.

As well, the bill makes it mandatory to signal any data breaches that could harm an individual. If an individual's personal information has been compromised in a way that could harm that individual, the organization responsible must inform the privacy commissioner of the violation. The commissioner can then determine if the violation could harm the individual and may force the organization responsible to inform the individual that their personal information has been compromised. Non-compliance could result in a fine of up to $500,000.

We believe that this will help increase compliance with the law, reduce the cost of the current process, and reduce delays. It will also establish solid case law that will allow individuals and organizations to better understand their rights and responsibilities.

I would like to point out that three provinces already have laws that are basically similar to the federal law concerning privacy in the private sector. Unlike Ottawa, the provinces of Quebec, Alberta and British Columbia empower their commissioner to make binding decisions in certain circumstances.

As my colleague mentioned when she introduced the bill, it seems that there is a consensus among the public to increase fines for offenders. As the Commissioner said, it is important to note that Canadians are the heaviest Internet users worldwide, spending an average of 45 hours a month online.

We are also among the most avid users of networking websites in the world. I was not surprised to hear that half of Canadians are on Facebook. In light of those statistics, it is not surprising that privacy is an ongoing concern for Canadians.

The 2011 Canadians and Privacy Survey found that the vast majority of respondents are in favour of stiff penalties for organizations that fail to protect peoples' privacy. More than 8 out of 10 respondents want to see measures passed to name offending organizations, impose fines or take the organizations to court.

The Commissioner herself is calling for more power to fulfill her mandate. In her 2011 report, she said:

In recent years, we have seen very serious, large-scale data breaches. Data breach notification, in itself, may not be sufficient to create the kind of incentives necessary to ensure that organizations take security issues more seriously in the current environment. Many other countries are taking a harder line on breaches. For example, the United States has been a leader in this area and virtually all states have data breach laws. Meanwhile, a European Commission Regulation proposed in early 2012 included data breach provisions and very significant fining powers for European data protection authorities. Commissioner Stoddart has encouraged the federal government to explore strengthened enforcement options that would create stronger incentives for organizations to ensure personal information is adequately protected.

The report could not have been any clearer.

Why are the Conservatives so soft on those whose business practices are compromising Canadians' personal data?

As a final point, it is important to understand that the Personal Information Protection and Electronic Documents Act and this bill apply to the use of personal information only in the private sector. Ideally, the proposed measures would also apply to government organizations.

I know in the past my hon. colleague has asked the Standing Committee on Access to Information, Privacy and Ethics to examine the possibility of opening up the Personal Information Protection and Electronic Documents Act to resolve this issue.

In closing, it is unfortunate that the Conservatives oppose this, and I hope we can come up with a solution to this serious problem.

Mr. Speaker, I am pleased to rise today to comment on private member's Bill C-475 tabled by my colleague, the member of Parliament for Terrebonne—Blainville.

First, I will correct the record for the hon. member. I think it was February 15, and I do not know if the hon. member was here, when our House leader certainly made very clear that we were willing to move Bill C-12 to committee, but it was obstructed by the opposition party that denied consent for that.

The Internet has become a platform for commerce. More and more online transactions rely on flows of information, including personal information. In fact, personal information is often cited as the lifeblood of the modern economy. It is a key asset and a driver for innovation. However, for information to continue to be an engine of growth and innovation, it is necessary to maintain a solid foundation of trust in the fair and responsible handling of personal information.

As the opposition is well aware, the government already has amendments to PIPEDA before the House in the form of Bill C-12, the safeguarding Canadians' personal information act. The amendments in this bill are the result of extensive public consultations and reflect the work of our parliamentary committee and legislative review process. They reflect the values of Canadian consumers as well as the realities of the marketplace.

Bill C-12 establishes broad-based, balanced, comprehensive improvements to PIPEDA which set out enhanced protections for Canadians' privacy, while ensuring that legitimate business needs for information are met.

By contrast, the opposition's approach to privacy in Bill C-475 introduces only two new measures in PIPEDA. The first of these is a potentially costly and administratively burdensome data breach notification regime.

Bill C-475 would require that organizations report every data breach involving a “possible risk of harm”, no matter how remote to the Privacy Commissioner of Canada. The commissioner must then spend time determining whether each one of those breaches poses an “appreciable risk of harm”, and thereby warrants notification to affected individuals.

In contrast, the government's Bill C-12 proposes an approach to data breach notification that balances the cost to organizations of unnecessary notifications with the needs of consumers.

Bill C-12 would require notification to individuals only in situations where the organization determined that a breach carried a “real risk of significant harm”, which includes both financial harm, such as fraud, and non-financial harm, such as humiliation. This would eliminate the need for costly notification where it was not needed. This would minimize the compliance burden on organizations and reduce the risk of notification fatigue among consumers, while ensuring individuals would get the information they needed to protect themselves.

The opposition's Bill C-475 contains a lengthy list of consequences for non-compliance. This includes a monetary penalty of up to $500,000, which I am sure members will agree is a significant amount. However, should penalties for small businesses in our communities be as large as those of multinationals? The opposition seems to think this should be the case because Bill C-475 is silent on this question.

In contrast, the proposed measures in Bill C-12 reflect the importance of personal information to the smooth functioning of the marketplace. They address barriers to information flows, which were unforeseen when the act first came into force. They clarify and streamline privacy rules for business, while at the same time providing companies with the information they require to continue to grow and prosper.

Consumer information plays a role in many legitimate businesses. Financing transactions and acquisitions that occur in the normal course of development of many businesses require an assessment of business assets. These assets can include databases containing the personal information of customers the businesses intend to keep serving or information about the training and skills of employees who will continue to work with the business. Without the ability to access this personal information, it can be difficult for companies to assess the economic viability of a particular transaction.

Bill C-12 proposes to amend PIPEDA to enable companies to review personal information when necessary to conduct the proper due diligence prior to engaging in business dealings. Before any information can be shared between parties to a business transaction, each party must enter into a formal agreement that constrains the use of the information to purposes related to the transaction itself. In keeping with PIPEDA's existing principles, the agreement must also require the parties to protect that information with strong security safeguards.

Bill C-12 involves amendments that will remove barriers to the availability of information that is necessary to establish, manage or end an employment relationship.

Private sector representatives and the Privacy Commissioner of Canada have recognized that adjustments to PIPEDA were needed to reflect the unique context of the employment relationship.

As a result, Bill C-12 would amend the act to address situations where, for example, employers might need to collect and use the personal information of their employees to issue identification cards and control access to restricted areas.

These measures have been carefully balanced to maintain the protection of employee privacy by limiting the collection, use or disclosure of employees' personal information to that which is absolutely necessary and by ensuring that individuals are notified when their information is being collected, used or disclosed in the employment context.

Bill C-12 also follows up on other key recommendations. For instance, it would provide greater certainty and would clarify rules for business by streamlining private sector investigations. PIPEDA currently allows companies to share personal information with organizations that have a legitimate mandate to conduct investigations into breaches of agreements and contraventions of the law.

However, under PIPEDA, a burdensome and lengthy regulatory process is required in order to render this effective. To date, four separate regulatory processes have had to be launched to allow for the designation of 84 organizations or classes of investigative organizations with more expected.

Under Bill C-12, if passed, Parliament will act to replace this onerous regulatory process with an exception that will enable the information to be shared only in limited circumstances. Indeed, the government will only allow this information to be shared when it is necessary for the conduct of investigations and for fraud prevention.

I believe Bill C-12 provides a better model for the enhancement of privacy protection in Canada. I do not believe Bill C-475 provides the same balanced and comprehensive model.

I call upon members to support Bill C-12 rather than Bill C-475. I would mention for my colleagues from across the way that if they actually want to pass Bill C-12, as they seem to, both parties have mentioned it in the last few minutes, we would be glad to have that discussion and move it to committee tomorrow.

Mr. Speaker, I am very pleased to rise today in support of Bill C-475, put forward by my colleague from Terrebonne—Blainville. This is an extremely important initiative for all Canadians.

Frankly, the question that arises is: Whatever happened to Bill C-12? This was to be the government's showpiece legislation to reform private sector privacy in Canada. That was back on September 29, 2011, and it is missing in action. As my colleagues have said repeatedly, privacy is the victim. Canadians are expecting, in this 21st century world in which we live, this digital economy, that their privacy will be protected.

I want to say in my remarks that this is good for business. This is actually essential for business. We can talk about privacy protection in the private sector as a human right, but we can also talk about it as being good for business, and I want to give a couple of examples where, in fact, we have kind of missed the boat on that.

The government had the opportunity. There was a requirement for it to bring in Bill C-12. It did not do this because of privacy protection concerns or even for good business reasons; it had to do it because the Personal Information Protection and Electronic Documents Act required that there be a statutory review. It has taken a long time, and I guess we will have another statutory review before it ever deals with Bill C-12. The point is that it is not just bad for privacy for all the reasons I have said, including the digital economy changing so utterly since 2001, but it is bad for business. That is a language the government, presumably, will understand, so let me talk about business.

We live in a world of big data. The current Foreign Affairs magazine talks about the rise of big data. Canadian Business magazine talks about a couple of examples where Canada, sadly, dropped the ball. Let me explain.

A few years ago Google made overtures in Quebec, but the provincial government and Hydro-Québec were unwilling to provide the kind of electricity required so a large data centre could be situated in that jurisdiction. What happened? Google went to Finland and, as a result, the company built a 350-million-euro data centre. Facebook is currently building a 900,000-square-foot facility 100 kilometres south of the Arctic Circle in Sweden. There is a gigantic industry available for gigantic data, and Canada is missing the train. Why is that?

We have cheap electricity by world standards. That should be easy. We have a very secure Canadian Shield in which we could situate these large data centres. Places like Kamloops in British Columbia have been considered. Here is what else we have. We have laws in the private sector that are substantially similar to those of the European Union. It has a very strong data protection law there. It cares deeply about privacy in that jurisdiction. Companies like Facebook have come to Canada and, essentially, test driven their new privacy regimes to see if they pass muster under the Canadian privacy laws, because if they do, they probably will pass muster in the European Union, the U.K. and places of that sort, since our laws are substantially similar.

Canada is perfectly situated between the United States and Europe with a relatively robust privacy protection regime to attract lots of business, but we dropped the ball. The government has utterly dropped the ball with Bill C-12. Who knows if it will ever see the light of day? I say that is tragic for business.

My colleague from Terrebonne—Blainville has spoken strongly in favour of privacy as a constitutional right, and that is true, of course, but the business side of this is good as well. What does her bill do? It does two fundamental things. It deals with breach notification, which according to the Privacy Commissioner of Canada today, 97% of Canadians think is a good idea, according to a poll. Talk about a no-brainer. Second, it talks about better enforcement provisions and order-making powers. Let me speak about each of those things that her bill would do.

First, in Bill C-475 there is a requirement to notify the commissioner of a breach if there is a possible risk of harm. We have seen lots of breaches where credit card information has found its way to various places it ought not to be, and the like, medical information, information that Canadians hold dear. If there is a risk of harm, the notification must be made in a form prescribed in regulations or otherwise specified by the commissioner.

We do not put everything in statutes; we wait for regulations to put flesh on the bones. That is how we do business. It is not surprising that is the way this has been proposed in Bill C-475 as well.

Then there was some concern because the bill talks about the commissioner requiring the organization to notify affected individuals to whom there is an “appreciable risk of harm” as a result of the data breach. Somehow I gather we should be criticized for the appreciable risk not being spelled out. Well, do we have “reasonable person” standards spelled out in our laws? Do we have every situation in the Criminal Code spelled out? Of course not. We use general words. We allow courts and commissioners and regulatory bodies to figure out what those mean. That is the way we do business. It is not surprising that has not been spelled out in detail here either. That is entirely consistent with normal Canadian drafting processes.

The commissioner would have the ability to order the private sector organization to notify individuals and the bill provides a certain number of criteria that should be considered in doing so. Then there is the possibility of an administrative monetary penalty, depending on certain factors that are listed, of up to $500,000. There is, of course, the issue of the right of action that the commissioner might have against an organization that has not complied with orders.

To me, these are entirely common sense, entirely 21st century provisions. I am so pleased that Canada's highly respected privacy commissioner, Jennifer Stoddart, has agreed entirely with these initiatives at a press conference in Toronto today. I thought this quote was perfectly in line with my colleague's bill. She said:

Personal information has been called the oil of the digital economy. As organizations find new ways to profit from personal information, the risks to privacy are growing exponentially.

That goes to the point that the law we have in Canada, although good at the time in 2001, is entirely out of date and everyone knows it has to be improved. The Conservatives seem to not want to do that. Therefore, this bill would at least get us half the way there with two key things.

Finally, we would have order making power for the commissioner. I live in British Columbia. In my province and in the provinces of Quebec, Alberta and Newfoundland and Labrador, people have had the ability for this umpire in the game, this ombudsperson, to make orders where appropriate, and the sky has not fallen. It seems to me it has worked extremely well.

Why is it that we have taken so long to come up with what has been proven to be a huge success story at the provincial level? Imagine that: an administrative body making an order. How many thousands of examples can we find in Canadian legislation of just that kind of power? This is hardly surprising or radical. It is consistent with administrative justice regimes we find at the federal and provincial levels across the country.

The other thing Canadians want is breach notification. That is the other key element in this initiative. Why? It is because it is the most visceral example of privacy violation. When thousands of records frequently find themselves in the hands of others, not only is there a risk of identity theft and enormous personal loss, not only is it a drain on our economy if that occurs, but there is also a sense of enormous personal violation when individuals' privacy is put at risk.

There is an example in the United Kingdom, where someone left a data stick in the back of one of those black London taxis. It contained the records of several million British taxpayers. Just think what one could do with that information, not just economically. Think of the kind of very sensitive information that would entail. One could find out who was paying money to people, for example, who might have children of whom their current partner was unaware. That would be shown by way of alimony payments and maintenance payments that could be deducted from income tax.

There are a zillion examples of those kinds of breaches. Canadians are worried about that. According to our privacy commissioner, 97% in a survey expressed that concern.

I want to congratulate my colleague for her excellent work in bringing forward Bill C-475. I am shocked that our Government of Canada has not seen fit to move forward with Bill C-12. We get more platitudes about it but no action. I am thankful for the action this legislation entails.

Mr. Speaker, I listened to the member talking about supporting Bill C-12. The problem is that the bill has been sitting on the order paper now for almost a year and the government has done absolutely nothing in advancing it, so that we could get it to committee and have a debate on it. One thing that Bill C-475 does is move forward the debate on privacy and the access to and protection of people's private information.

We are encouraged by Bill C-475 and want to get it to committee so we can update the legislation that has been in place. Only today, the Privacy Commissioner of Canada, Commissioner Stoddart, said we are falling behind and we are at risk of not being up to date with others around the world.

PIPEDA has been in place since 2001 with no changes since that particular date. On that, Commissioner Stoddart said:

Back in 2001, when PIPEDA began coming into force, --and even when I became Privacy Commissioner in 2003--there was no Facebook, no Twitter and no Google Street View. Phones weren’t smart. “The cloud” was something that threatened picnic plans. And predictive analytics was largely the domain of tarot card readers.

Things have changed in the last 15 years and we need to get up to date. Bill C-475 is a good first start. We need to also look at the commissioner's white paper released today, because she did say we are at risk of falling behind.

The reforms that need to be made to PIPEDA include stronger enforcement powers, requiring organizations to report breaches of personal information, requiring organizations to publicly report the number of disclosures they make and modifying the accountability principle.

One of the things the commissioner even said today is that she has no power. The only power the commissioner has is to name companies who breach these laws, so we need strong legislation and enforcement powers, and we need to make sure she has power to fine. Some of that may be in Bill C-12, but we have not seen that and we have not seen it being moved forward in the legislature.

These things do need to be updated. We look forward to having some more debate and getting this bill to committee so that we can really dig into it to see how these changes are going to have an impact and what improvements may need to be made to the bill from the information commissioner. We look forward to doing that in committee.

Mr. Speaker, I am pleased to rise today to speak to private member's Bill C-475.

I thank the hon. member for the opportunity to discuss our government's approach to protecting Canadians from data breaches. This issue is one of many the government has committed to addressing in its own bill to update the Personal Information Protection and Electronics Documents Act, namely Bill C-12, which is currently awaiting second reading.

I wish to point out that the data breach notification regime proposed in Bill C-475 takes a starkly different approach than that in Bill C-12. Bill C-475 requires organizations to first notify the Privacy Commissioner of every potential data breach, regardless of context or remoteness. The Privacy Commissioner must then determine whether affected individuals should be notified. Given the potential number of breaches that could be reported, such a regime would increase costs and burdensome compliance procedures for Canadian businesses and would impose an unwieldy financial and administrative burden on the Office of the Privacy Commissioner, generating more costs than benefits for taxpayers.

In contrast to the approach in Bill C-475, Bill C-12 requires that organizations determine whether a breach of personal information poses a real risk of significant harm to individuals. The organization experiencing the breach is in the best position to understand and assess the risks and decide quickly what should be done to protect individuals without delay. With appropriate oversight by the Privacy Commissioner, the responsibility should rest with the organization experiencing the breach. Bill C-12 also requires an organization to report a potential breach to the Privacy Commissioner when there is real risk of significant harm.

The Privacy Commissioner retains oversight of the notification process and would have the option of initiating an investigation if it were believed that notification was not done properly or did not occur when it was required. This also provides her office with information on the nature and number of breaches that have occurred.

There are other differences between the approaches to notification taken in the two bills. Bill C-475 states two factors that are to be used by an organization when determining whether to report a breach to the Office of the Privacy Commissioner. These factors are the sensitivity of the information and the number of individuals impacted by the breach. The use of only these two factors to determine risk related to a breach does not allow for consideration of circumstances to determine if a potential breach could be harmful.

This approach in Bill C-475 to determine whether to report a breach to the commissioner would also not capture breaches impacting only one or a few individuals, even where there is a high risk of significant harm to those individuals. This leaves a large portion of potentially harmful incidents outside of the legislation.

By contrast, Bill C-12 lays out different factors for determining whether a breach poses a real risk of harm, namely the sensitivity of the information and the potential for the misuse of that information. This requires the organization to assess all the circumstances around the breach, including, for example, whether the information was encrypted, whether it was fully recovered, or whether the circumstances suggest criminal involvement. All of these issues must be considered when determining the risk related to a particular data breach. If not, we run the risk of not capturing all harmful breaches or of focusing on capturing too many remote potential breaches, thereby increasing the burden on organizations and quite possibly reducing the commissioner's capacity for dealing with those that would cause harm.

Under Bill C-475, the proposed threshold to be used by the Privacy Commissioner for determining whether to order an organization to notify individuals is “appreciable risk of harm”. This term is ambiguous and is not defined in the bill. It is therefore not clear what type of breaches this threshold is meant to capture.

The manner of notification to individuals required by Bill C-475 is stated as “...clear and delivered directly...in the prescribed form and manner”. However, there are no details provided on what that form and manner would entail. Furthermore, the bill would not provide for regulation-making power to address this. PIPEDA applies to a very broad range of organizations of all sizes to ensure the timely notification of individuals. The means of notification imposed by any legislative requirement should be flexible enough to accommodate the varying circumstances in which these organizations find themselves.

For example, Bill C-12 would allow organizations to use means of notification such as website notices or paid advertisements, where necessary. This can be an important tool in situations where there is a large group of individuals who have not provided their current contact details, for instance. Organizations need access to every method available to reach those concerned in a timely manner. The new requirement proposed by Bill C-475 would create considerable uncertainty and would be burdensome and costly for organizations. In the U.S., where this issue is tracked annually, the average cost to an organization of a single notification is estimated to be $194. The average total cost to an organization for a data breach is approximately $5.5 million. As entrepreneurs in our communities strive to grow our economy and create jobs for Canadian families, we should take care to examine more efficient alternatives to ineffective procedures. These new requirements might even diminish the value of notification because of notification fatigue, causing individuals to ignore the numerous notices they receive. Bill C-475 would thus undermine its own purpose.

In summary, the opposition's approach in Bill C-475 would impose an administrative burden on the Privacy Commissioner and a financial burden on organizations and would impede timely disclosure of data breaches to individuals. Bill C-475 also does not define key terms adequately and does not capture many potentially harmful breaches, such as those involving a small number of individuals.

The notification regime proposed under Bill C-12, on the other hand, is a careful, risk-based approach that would balance the need for notification to individuals with the cost of notification. The comprehensive approach of Bill C-12 could be applied to the vast range of circumstances and considerations faced by the various types of businesses, both large and small, that are subject to our federal private-sector privacy legislation.

I would therefore urge hon. members to oppose Bill C-475, and I invite the opposition to join us in support of Bill C-12 and move it to committee for detailed consideration as soon as possible.

moved that bill C-475, An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), be read the second time and referred to a committee.

Mr. Speaker, it is with deep conviction that I initiate the first hour of debate on my Bill C-475, the purpose of which is to bring the Personal Information Protection and Electronic Documents Act into the digital age.

I would like to begin by reading from a statement by the Privacy Commissioner, Jennifer Stoddart, released this morning:

“PIPEDA is not up to the task of meeting the challenges of today--and certainly not those of tomorrow”.

It is therefore no surprise that she should have said this, because this legislation has not been updated since the arrival of the first-generation iPod. Matters evolve very quickly in the digital age, and the law is no longer relevant.

Millions of Canadians have never known a world without smart devices. It is an eternity in a modern society undergoing constant change, as ours is.

The Internet is central to our lives, because we use it daily. It is not surprising, therefore, to learn that Quebeckers and Canadians will spend about 45 hours a week online in 2013, that over 70% of Canadians use the Internet daily, and that our fellow citizens have more than 18 million Facebook accounts.

Canada as a country is firmly plugged in. For a few years now, laptops and devices like tablets have been used both recreationally and as working tools. They occupy an increasingly crucial place in our lives. We are moving more and more towards digital management of our lives. This major change means that new rules must be put in place and that they must reflect the new risks associated with these developments in the digital world.

Since the beginning of this year alone, we have witnessed serious losses of data, including data on 52,000 Canadian investors in February and more than 50 million clients of LivingSocial in April.

The Privacy Commissioner of Canada recently stated that breaches of personal data have been steadily increasing in recent years. In that connection, a study by Telus and the Rotman School of Management at the University of Toronto, published in 2011, showed that each public company experienced an average of 18 data breaches a year.

Unfortunately, the current legislation designed to protect Canadians’ privacy has not been updated to address these risks and put appropriate measures in place to protect society. The current legislation does not provide for Canadians to be notified of a breach of their personal information. Organizations are not in fact required to notify them, regardless of the seriousness of the breach. This means that our fellow citizens cannot take appropriate action to protect their identity or their credit in order to reduce any harm they might suffer.

I am referring in particular to our passwords, social insurance numbers, personal emails or even the bank account numbers needed to make online purchases. The sharing of personal information with third parties, without consent, is a major problem in Canada.

In September 2011, the Privacy Commissioner noted that a quarter of the most-visited websites in Canada do not comply with Canadian law; they disclose our data without our consent. This bothers me a great deal, particularly when I think of children, the elderly and people who have not had the good fortune to learn how the Internet works and what the risks are. What is much worse is that companies that decide to do this do not currently suffer any consequences.

For more than 10 years, Canadians have been waiting for a better regulatory framework. They are rightly expecting results along those lines, and it is in that spirit that I decided to introduce Bill C-475. The bill proposes two simple and effective mechanisms to improve protection of Canadians’ personal information.

First, it requires that the commissioner be notified by any organization having personal information under its control when there is a possible risk of harm to users.

Experts in the commissioner’s office will assess the seriousness of the situation against a criterion for harm that sets a high standard. They will also recommend whether or not the organization should notify the users affected.

This mechanism allows for an objective analysis of the risk and better management of the risk through an expectation of a high level of security, rather than a subjective analysis based on the interests of the organization, which may differ from the interests of users.

The process will restore to Canadians the power to take steps to protect themselves much more quickly, in addition to reducing the harm done to them.

The second mechanism provided for in Bill C-475 is based on the Alberta model. It is designed to give the Privacy Commissioner order-making power when an organization fails to obey the law. The Federal Court would have legislated authority to penalize organizations that fail to carry out an order issued by the commissioner.

These mechanisms are straightforward and clarify the commissioner’s powers. In short, the Office of the Commissioner will now have the power to enforce the law, which unfortunately is not now the case.

By providing better oversight of organizations and the use of personal information to which they have access, Bill C-475 gives Canadians an assurance of acceptable risk management and the right to protection of their information. This bill was drafted to address the concerns of Canadians, people in the digital industry, civil liberties organizations, Internet experts and specialists in the protection of privacy.

I had the opportunity to hear a great deal of evidence from experts during a study the Standing Committee on Access to Information, Privacy and Ethics conducted on social media and privacy from May to December 2012.

Bill C-475 is a direct response to requests from the community to adapt the law to suit our digital age by providing some flexibility for people in the industry and clarifying the ombudsman’s role of the Office of the Commissioner.

Moreover, during many consultations specifically discussing the bill, the same conclusions emerged. The bill therefore takes a very balanced approach. It is balanced with regard to Canadians, since objective risk analysis will ensure that they are not bombarded with notifications of data breaches that do not affect them at all or present a minimal risk. The bill is also balanced with regard to companies, since clear roles and processes enable them to plan their policies and response.

It will be clear for organizations that they are required to report a breach to the Office of the Commissioner, but they will not be responsible for deciding what the ultimate risk is. Companies that are law-abiding will no longer have to compete with companies that are not.

Lastly, the bill makes it possible to bring our privacy protection legislation up to the same level as countries like Germany, Great Britain, Australia and France, or indeed to the level of provinces such as Quebec and Alberta.

As a world leader in technology, Canada should be adopting international standards.

Bill C-475 offers a different vision from that proposed by my colleagues opposite, who in 2007 introduced Bill C-12, which is no longer supported by the Privacy Commissioner. They will probably tell me they have already introduced a bill to modernize the Privacy Act, but I would like to remind them that it dates from 2007 and is absolutely not representative of our day and age, particularly when you consider that technology changes extremely quickly.

Bill C-12 was introduced in the House, but there has been no debate for six years, and its content has therefore become outdated. It certainly no longer represents a serious attempt by the government to modernize the legislation in order to better protect the public. Moreover, a problem with the mechanisms proposed in Bill C-12 to deal with a breach shows that it is completely inadequate.

The risk threshold for notifying the Office of the Commissioner is very low and subjective. This poses two major problems. The first is that because the threshold is low, users and the Office of the Commissioner will be notified less often in the event of a breach.

Organizations could avoid notifying those concerned, which poses a major problem with regard to their security. Nor will they have the power to protect themselves and reduce the potential harm to which they are exposed.

The second problem is that experts testifying before the Standing Committee on Access to Information, Privacy and Ethics explained the need to obtain better data in order to gain a better understanding of the cybersecurity risks Canadians face every day. A low, subjective threshold reduces the data to which they will have access, which makes them less able to advise the government and companies on the risks associated with their practices.

My bill establishes an objective threshold, and the Office of the Privacy Commissioner will be mandated to assess the risk associated with a breach. The interests of Canadians, which we in this House have the responsibility to protect, will be paramount.

Quebeckers and Canadians support the measures and principles in my bill. In April the Office of the Privacy Commissioner published a cross-Canada survey showing that 97% of Canadians would want to be notified by an organization if their personal information was compromised. Note that this is the overwhelming majority. In addition, 80% of respondents would also grant more powers to the Office of the Privacy Commissioner. Again, a large majority of Canadians supported these measures.

My bill has garnered support from all classes of stakeholders affected by these changes, including industry representatives, civil liberties organizations, consumer protection agencies and academics specializing in law, communications, cybercrime and political science. I could go on, but there are too many to name them all.

The Union des consommateurs has stated that:

[it] believes that the implementation of the principles proposed by the NDP, through their private member’s bill amending the Personal Information Protection and Electronic Documents Act, constitutes a real advancement to better protect the privacy of consumers.

Michael Geist, chair of Internet and e-commerce law at the University of Ottawa and renowned public affairs pundit, has said about my bill that:

Bill C-475 is a far better proposal.... Those provisions would do far to ensure a greater respect for Canadian privacy law and give Canadians the assurance of notifications in the event of security breaches.

Steve Anderson, executive director at OpenMedia.ca, stated that:

We welcome...[this] online privacy bill because we think it's a tool that can later be applied to protect our privacy against reckless warrantless access to our private information by government authorities. This bill is a useful stepping stone to safeguard our privacy.

Canadians trust us to act in their best interests. They clearly want us to give them better protection. By voting for Bill C-475, my hon. colleagues will be giving them the reassurance of stronger support for their rights and the power to protect their privacy.

moved for leave to introduce Bill C-475, An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power).

Mr. Speaker, over the past several years Canadians have witnessed what the Conservative privacy agenda has to offer: online snooping bills and inaction on data breaches.

Today I am presenting the NDP's vision of personal information protection. This bill will encourage compliance with Canadian laws and ensure that individuals are notified when their information has been compromised.

In our increasingly digital world, Canadians can no longer wait for the government to modernize our outdated privacy laws. Inaction means greater risk to the security of the personal information of millions of children, seniors and all other Canadians online.

Canadians and Quebeckers should feel perfectly safe using new digital technology. We can encourage Internet users to be fully involved in the digital economy by giving them the confidence to put personal information online.

My bill proposes positive and balanced privacy protections that are needed in the digital age.

I hope that all of the members in the House will vote in favour of this much-needed legislation so that the privacy of their constituents, their children and their families will be well protected.

(Motions deemed adopted, bill read the first time and printed)