Bill C-475 (Historical)

Mr. Speaker, it is a pleasure to rise and speak to Bill S-4, which would amend the Personal Information Protection and Electronic Documents Act, called PIPEDA. The bill has the rather misleading title of the digital privacy act.

I will be speaking against this bill for a number of reasons that have been articulated very well in past debates by the member for Terrebonne—Blainville, our digital issues critic. She has brought in a bill of her own. The government took parts of it and did not go as far as it needed to, to actually protect the digital privacy of Canadians.

I would like to, first, talk about why this is such an important bill. Second, I will talk about the history of getting it here. Last, I will talk about some of the critical problems with this bill and propose an amendment at the end of my remarks.

E-commerce is the backbone of the modern Canadian economy and it is only going to be more important going forward. Think of our children and their use of digital material.

My colleague, the member for Toronto—Danforth, made some comments about e-commerce and why this bill, which underscores legal protections for privacy and e-commerce, is so important. He said that the world's largest taxi company has no cars. It is the largest taxi company because it has personal information. It is called Uber.

The world's largest accommodations company, Airbnb, owns no property, but it is the richest and largest company because it owns personal information. The world's largest retailer has absolutely no inventory. He was referring to Alibaba in China.

As we move to what my colleague called the Internet of Things, by 2020, we will have 26 billion devices connected to the Internet. I hope that people appreciate that we are moving into an economy where we need to know the rules of the game and we need to know that our personal privacy in the private sector is protected. Business wants that certainty and consumers demand that what is left of their privacy be treated fairly by those private sector organizations that hold their information.

Canada is really in a unique position on the planet. We are halfway between the European Union, which has a very aggressive data protection regime, and the United States, which has sectoral legislation but not a comprehensive private sector law like PIPEDA, the bill that is before us in its amended form.

I say that we are halfway between those two regimes because, under PIPEDA, Canada has managed to create what is called a substantially similar regime to the European Union. That means that e-commerce companies in England, Ireland, France, and the 28 other countries that make up the EU can confidently share their personal information with Canadians because they know that they will have substantially similar protection. Canada achieved that. The United States does not have anything like that, so companies like Google and Facebook will often use Canada as a launching pad.

If we can make privacy protection sufficient in Canada, it will likely be sufficient for Europeans, who have had the most stringent requirements of privacy on the planet. It is important that we get this right.

It is amazing and very timely that we are having this debate at this time because on Monday of this week a clear signal was given by the Council of Ministers in the European Union that it is going to go for a regulation soon, not the directive that has been enforced for some time. After two years, all 28 countries will have to come up with an even more stringent regime.

That is why this bill is so problematic. It would not help small business, as I will describe, and it certainly would not give consumers the protection that the courts say that they are entitled to. I refer to the case of Spencer in 2014, where warrantless searches were said to be not on for Canadians, yet they seem to be just fine in this bill, which is odd. We need it get it right from a commercial point of view, as well.

I am indebted to Professor Michael Geist, who testified before the industry committee and the Senate, and who is so prolific and thoughtful in his analysis of private sector privacy legislation and other privacy regimes. He talks about how it is has taken us eight to nine years to get to this state.

I wanted to talk about this because the government's ineptitude in helping the e-commerce industry that I talked about and protecting the privacy of Canadians is on full display in the history of this bill.

The Conservatives tell us that it is urgent, that we must get on with it. Well, that is because they have dropped the ball, as I will describe in many ways. It has taken eight or nine years to get to this situation.

The Conservatives left an earlier version of a privacy bill sitting for two years in the House of Commons with no movement whatsoever and then it died at prorogation. How did that happen? In November 2006, the Standing Committee on Access to Information, Privacy and Ethics undertook its hearings on this reform. That was one year later than the five-year review process required by the act.

Just to back up, PIPEDA, the bill before us that is being amended, requires parliamentarians to review it after five years. They could not even get that deadline together.

In 2007, there was a report recommending certain things be done. Nothing seemed to happen. First reading was in 2010 for Bill C-29, the first PIPEDA reform. Second reading of the bill was in October. In September 2011 there was the first reading of Bill C-12, the second attempt to reform PIPEDA. That never got past second reading. It died when the government prorogued. Then another bill, this Bill S-4 was introduced in April 2014. This was the third try. Three strikes are lucky, I guess.

Here we are before Parliament with a bill that when it was in committee, the government said solemnly that it was urgent that we get on with it because it did not want to take a chance on any further delays and amendments. It is laughable the way the government treats the backbone of e-commerce, this privacy legislation. It has taken eight or nine years to get to where we are tonight. In the dying days of Parliament we are debating the legislation. It shows how important this must be to the government of the day.

In my riding, where we have a thriving e-commerce industry, with start-ups trying to develop apps and so forth, the bill is important and the government treats it with a history of neglect, which is the best way I can put the ineptitude I have described.

It is critical for small businesses, as I will describe, because they just do not have the wherewithal of large business to comply with some of the provisions of the legislation. I will come to that in a moment.

What does the bill do? Some of the things it does right is that it has finally agreed with endless Privacy Commissioner recommendations that there ought to be mandatory breach disclosure. If there has been a breach of data by a company, where it is sent to the wrong place and suddenly my personal information is found in the back of a taxi cab on a data stick, someone has to be told about it. That is pretty simple and obviously long overdue. That is a good thing to have in the bill.

Second, there are increased enforcement powers for the Privacy Commissioner, including the notion of compliance agreements that companies would enter into. This is a long-standing consumer protection approach that has now found its way into the bill.

According to experts, such as Mr. Lawford, testifying on behalf of the Public Interest Advocacy Centre, it would likely result in fewer reported breaches because it leaves the determination of whether a breach causes a real risk of significant harm entirely in the hands of the private sector companies.

Do the words “conflict of interest” seem to come up? They do and that obvious conflict of interest is fatal to the purpose of the bill. Why is a company going to want to blow the whistle on itself? It seems a bit odd and others have suggested, as has my colleague from Terrebonne—Blainville, in her Bill C-475, that it ought to be for the Privacy Commissioner, an independent officer of Parliament, to pass on that, not the industries themselves. That was the subject of much criticism in the industry committee, which studied Bill S-4.

That gives me a chance to talk about the attempt by the opposition to actually get meaningful debate in the industry committee. Since I got here, probably the most disappointing thing I have found is the government's utter indifference to any amendments unless they come from its side of the aisle.

There is an effort to have a real dialogue and to improve this and come up with a kind of unanimous support for something which is technical in nature, but the government said no to every single amendment, which, of course, in my experience is the way it does it every single time. I have been on two committees and I have not seen one amendment passed that anybody but the government proposes.

Trying to co-operate with the government to do something which is at the backbone of the new economy and it will not even talk to us. Apparently, that is how the government wants to do business. Fortunately, like so many Canadians, I hope that these are the dying days of a government with such arrogance and indifference to what Canadians want.

The efforts to try to fix this bill fell on deaf ears. My colleague, the digital critic from Terrebonne—Blainville, proposed that the Privacy Commissioner be the one who determined whether a data breach was significant enough to report, which makes sense, as opposed to the fox in the henhouse, where a company has to decided whether it is big or little.

That is not for banks to decide, whether they weigh their reputational risk that they might have versus consumers' rights. I know who could do that, an officer of Parliament. That would be the right person to do that. That is what my colleague suggested. The Conservatives propose putting the burden on companies.

Here is the problem with that, and not only the obvious conflict of interest but there are large companies, think banks, telecoms, companies of that size, that have departments that are responsible for privacy protection. More and more companies have what is called chief privacy officers to regulate this very technical area of the law.

They do a good job sometimes, but they often have this penchant that they obviously feel when they are trying to protect privacy, which is their job description, and not make a career-limiting move when information that is disclosed could cause harm, and the company would be angry with them and shoot the messenger. I have talked to CPOs in companies that tell me that the conflict is alive and well and I can understand that.

Small companies do not have these chief privacy officers, for example, to determine whether there is a significant breach or a significant risk of harm. They have no idea what to do. They want to co-operate, but they do not have the personnel or expertise to do it.

My colleague reasonably suggested that we give them a little help by letting them have access to the Privacy Commissioner's expertise and resources. Is that not a common sense provision? Is that not one that would help those small start-ups in the e-commerce industry that would really like the opportunity to do the right thing but do not have the budget to do it?

The economy in my community, the largest sector now, is not tourism or hospitality, it is high tech. The people who are producing the largest contribution to the Victoria economy are people who are just in this situation, wanting to understand the rules of the game in the new e-commerce, looking to the government to give them clarity, make it easy for them to do the right thing, so they can compete internationally, as they are doing so effectively, and to be onside with the European Union's incredibly stringent rules.

Guess what? They do not have a CPO, paid $150,000 a year or whatever, like the large banks would. The government has done nothing to assist them and they are angry about it. They do not understand why this so-called business-friendly government simply does not get it.

Some 18 amendments were proposed by the NDP and 18 amendments declined by the government of the day. We tried to work it out, but the government just wanted to jam it through. To add insult to injury, for the 97th time it used time allocation on a bill of a technical nature like this. I think the government is over 100 times now.

In the history of Parliament, has there ever been a government that has done this more often? I certainly do not know. I want to study it. I have a student looking at this because the arrogance and the anti-democratic behaviour of the government has to be exposed. The 97th time was for a bill on digital privacy. It is shocking and shameful that we are in this world today with this government.

The Supreme Court has told us that warrantless searches are wrong. They are unconstitutional. My colleague from Toronto—Danforth said we should send it to the court for a constitutional reference. We cannot have yet another loss in the Supreme Court. How many would that be? I have lost count. It is six or seven. How about having a reference to the Supreme Court of Canada?

The leader of the opposition asked for that today with respect to Bill C-51. The government, of course, would never do that. It just wants to go lose again in the Supreme Court.

The Spencer case in 2014 established that warrantless searches are a bad thing. How can the government then put these searches into Bill S-4, the bill before us, and pretend it is going to be constitutional? It is great work for lawyers. I have many friends who welcome the government's position because it is a make-work project for constitutional lawyers, but is it helping the Canadian taxpayers? Is it helping the e-commerce businesses, those little businesses from coast to coast that are struggling in this international economy? Do they have the clarity they need to go forward? Why do we have to waste our time with yet another Supreme Court loss by the government? It makes no sense.

Could the government have co-operated a little with people of good faith who wanted to make it better and solve this problem, as New Democrats tried to do in committee? One would think the government would welcome that, but it simply said no.

My next point is kind of a technical thing, but I want to raise it. We talked about breach notification, and I want to give an idea of how complicated this is for the little mom-and-pop or individual family businesses that are now arising in the economy. Clause 10, which would add section 10.1 to PIPEDA, talks about the kind of notification that is required when there is a breach. I want to give an idea of how complicated this can be and how lack of clarity means something.

Proposed subsection 10.1(5) says, “The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.”

Three times the word “prescribed” is mentioned, which means it will be prescribed by regulation to follow later. There would be regulations that would define the kinds of things that would have to be done to give notification of a breach. However, as an example, let us take a small business that is trying to do the right thing. When there is a breach, it wants to notify people immediately. What is it going to do? Until there are regulations, it is utterly meaningless.

I know the government will bring in regulations eventually. That is a good thing, and I am sure companies are looking forward to seeing them, but as they plan ahead in this incredibly dynamic sector, they do not have a clue, and neither do we. None of us can say what those prescribed requirements are, because “prescribed” means to follow later in regulations, regulations nowhere to be found. People will have to try to figure that out. People sitting in a little start-up in Victoria or St. John's or Toronto or Montreal will have to try understand how to work their way through this difficult bill.

It is a history of neglect. It is a history of failure to listen to the opposition, which wanted to work together to create this regime. It has a history of eight or nine years in coming to the dying days of Parliament, but we should not worry, because it is urgent now, according to the Minister of Industry.

New Democrats do not believe it.

Therefore, I move:

That the motion be amended by deleting all the words after the word “That” and substituting the following:

“this House decline to give third reading to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, because it:

a) threatens the privacy protections of Canadians by allowing for the voluntary disclosure of their personal information among organizations without the knowledge or consent of the individuals affected;

b) fails to eliminate loopholes in privacy law that allow the backdoor sharing of personal information between Internet service providers and government agencies;

c) fails to put in place a supervision mechanism to ensure that voluntary disclosures are made only in extreme circumstances;

d) does not give the Privacy Commissioner of Canada adequate order-making powers to enforce compliance with privacy law; and

e) proposes a mandatory data-breach reporting mechanism that will likely result in under-reporting of breaches.”

Mr. Speaker, this bill establishes a mechanism to be used by organizations to report data breaches, data thefts, and so forth, which is very important. I called for such a mechanism in the House and proposed one in my Bill C-475.

However, the model proposed by the government in this bill is extremely subjective. The organization itself determines whether or not the data breach is serious and whether or not to notify the people concerned. Some data breaches may not be reported to the commissioner or the individuals in question. The individuals would not have the opportunity to take the necessary steps to properly protect themselves.

Instead of implementing a subjective measure, why not implement an objective measure that would put more power in the hands of the individuals whose identity or personal information has been stolen or breached?

Mr. Speaker, it is my pleasure today to rise and speak to Bill S-4.

As my colleague mentioned a couple of minutes ago, I too have very serious concerns that here we are in a parliamentary democracy with elected MPs sent here by their constituents to do the work of Parliament, and Conservatives have brought forward a bill introduced by the unelected Senate. It sort of begs this question. What was the real agenda behind doing this? Was it to fast-track it? Was it to try to give the Senate some sense of credibility as it goes through some very difficult and challenging times?

Nevertheless, it is about process, and now that I have made my point, I also want to make the point that in Parliament, as my colleague across the way pointed out, there is a natural rhythm as to how bills are introduced in the House and debated. The government, in its wisdom, first took a Senate bill instead of spending the time, of which it has a lot, to bring forward its own bill. It took a Senate bill and, even before second reading, basically declared that it was not willing to accept any amendments, which really makes one wonder what the purpose has been behind a lot of legislation.

Now I know that my colleagues across the way have an allergy to evidence, science, and data and do not really like listening to all the expert witnesses that are flown in to appear before committees. The interesting thing is that even before they heard from those witnesses, they started to make comments such that they did not want to accept any amendments because if they did, the bill would have to go back to the Senate. It does not seem to me to be a good reason to bring forward legislation that is poorly thought out.

I am not saying it is not needed. It is.

As a matter of fact, my esteemed colleague from Terrebonne—Blainville introduced Bill C-475, which would have actually addressed many of the concerns that Canadians want addressed. That is an example of a well-thought-out bill that would not overreach but would actually do the job that is needed, which is to modernize our code of conduct around personal information. With the advent of electronic and digital media, we absolutely need some changes.

Getting back to the bill, once again, it is a process that is flawed. Experts came forward and gave testimony. I sometimes wonder, if the government's mind is already made up that it is not going to accept any amendments, what the purpose is of flying in experts to present their testimony. To me, that is the highest sign of disrespect. It basically says the government has already made up its mind, but just to make witnesses feel better, it will hear from them. That is really bad form.

Here is something else. The NDP put forward 18 amendments, well thought out and researched, supported by the evidence that was presented and by experts; and other people presented 14 other amendments. True to their commitment or the bizarre statement before the bill got debated, there were zero amendments accepted by my colleagues across the way. So much for committees working with consensus.

I have often heard ministers from the other side of the House say they have to rush things through the House because at committee stage experts will be heard and that is when we get to have the really meaty debates. I have never bought that, and evidence bears out that it is not how committees work. Despite hearing expert witnesses and hearing from the opposition, the Conservative government accepted zero amendments, and that says a lot about the process.

Now the bill is back in the House, and we are debating it, but once again, there is time allocation. The government could have moved on the bill over the last number of years, but it chose not to. Here we are in the last three weeks, when suddenly the Conservatives have rediscovered that they had better do something. After all, it is election time. They are now moving time allocation to prevent the Canadian public from knowing what is really in the bill. One way to do that is to limit and shut down debate, which seems to be a very common move by the government.

Here are some facts and figures. The Conservatives made 1.2 million requests to telecommunication companies to obtain Canadians' personal information in just one year. Some 70% of Canadians feel less protected today than they did 10 years ago. With this bill, they have reason to feel even more concerned and worried, because now there are all kinds of loopholes in the bill whereby their information can be shared way beyond the person they give it to.

Some 97% of Canadians say they would like organizations to let them know when breaches of personal information occur. That is reasonable, but if companies are giving away data themselves, I personally see that as a breach, because they have breached my trust, because I gave the data to them. We have some concerns around that as well. Some 80% of Canadians say they would like the stiffest possible penalties to protect their personal information, and 91% of respondents—not 51%, not 41%, not 21%, but 91%—are very or extremely concerned about the protection of privacy. It seems to me that the government should be paying some attention to what Canadians are feeling and their fears.

There was also a Supreme Court ruling, on June 13, 2014, pertaining to the sharing of personal information. The Supreme Court stipulated that subscriber data, including name, address, email address, phone number, ID address, et cetera, cannot be disclosed to a third party without a warrant. In light of this decision, the constitutionality of certain provisions in Bill S-4 is questionable.

I am sitting here thinking that a government that really wanted to do due prudence would actually pay attention to the fact that the Supreme Court had made a ruling. Despite that ruling, we did not see any amendments from the Conservatives, nor were they willing to accept any of ours, which really lets me know that to pander to their friends, they are willing to sell out Canadians, they are willing to ignore the Supreme Court ruling, and they are burdening hard-working taxpayers with future challenges in the courts, because that is where this will certainly end up.

The NDP believes that Canada needs a mandatory data loss or data breach reporting mechanism based on objective criteria. We are not the only ones who are saying that. Witness after witness said that we need the Privacy Commissioner to have some powers over this.

Huge companies get our data through nefarious means, some of them very innocent, like when we pay bills with a credit card. They not only get what we paid and where we bought something but all that micro-targeting information can now be moved on to other companies when a company deems fit. To me, that is just not acceptable.

I would urge my colleagues across the way to not ignore Canadians or the Supreme Court ruling. Let us make sure that we address the deficiencies in this bill.

Mr. Speaker, I rise in the House today on behalf of my constituents from Surrey North to speak on Bill S-4, an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act. I rise today because I oppose the bill in its current form.

Members from three parties proposed amendments to the bill so that it would stay within constitutional boundaries. However, the Conservatives rejected every single one of those amendments, even the amendments that were drafted according to the comments and suggestions from the witnesses.

As the official opposition, it is essential that we carefully review the legislation and voice dissenting opinions in order to ensure that each bill is thoroughly examined. In this case, as in most cases that I have experienced in the past four years, it is evident that the Conservatives are determined to push through their own agenda on their own timeline.

I feel strongly that it is important for Canadians to know that their privacy is being protected, especially in the digital age that we live in. However, just because the Conservatives have not conducted the mandatory five-year review of the Personal Information Protection and Electronic Documents Act, PIPEDA, does not mean that we should rush through an unbalanced bill.

I feel very strongly that the bill before us was not well studied and needs to be fixed before it is passed through the House. In fact, the Conservatives did not support or submit any amendments to the bill because they did not think that would allow enough time to pass the bill before the election. This sounds politically expedient to me. Canadians deserve better than what the Conservatives are giving them.

The issues surrounding online privacy and safety are not new problems. Rather, they are existing problems that have become increasingly harder to protect against as technology continues to advance. Therefore, given the changing nature of the problem, it is important that the legislation that we create also evolves.

I am glad that after so many years of inaction, we are finally considering legislation to address online privacy issues. My colleague, the member for Terrebonne—Blainville, tried to take action to protect Canadians' privacy back in 2012 with Bill C-475. Unfortunately, that bill, which was stricter and more effective than the bill before us although very similar to it, was voted down by the Conservatives.

The Conservatives have become very good at pretending they know how to do their jobs and protect Canadians. They are actually able to stand up in this House and lie through their teeth in saying that this is a balanced bill, and they believe that.

Online privacy and security breaches have the potential to significantly harm an individual. Protecting these rights is important for all Canadians so that we do not put anyone potentially in harm's way.

Some Canadians may feel that the bill does not affect them in their daily lives, but I can assure them that Bill S-4 would affect every single Canadian.

One part of the bill that I am very concerned about pertains to the sharing of our personal information. The bill contains a provision that would make it easier for companies to share our information without our knowledge or consent, without a warrant, and with zero oversight. It is troubling to me that there is no mechanism in place for oversight.

Do the Conservatives remember the ruling in Regina v. Spencer? I do. In this decision, the Supreme Court of Canada ruled that Canadians have a reasonable expectation of privacy online. More specifically, the Supreme Court stipulated that spyware data cannot be disclosed to a third party without a warrant.

In light of this decision, it is questionable whether certain provisions in Bill S-4 are even constitutional. There are limits on what the government can do, but the Conservatives seem to have forgotten that.

We are demanding that every clause pertaining to the warrantless disclosure of information be withdrawn out of respect for the Supreme Court ruling and the privacy of Canadians.

There is no doubt that the Conservatives have a dark past when it comes to protecting personal information, and this bill would only add to that darkness. The lack of oversight and the allowance of warrantless disclosure has led to 1.2 million secret requests from Conservative government agencies for personal information from telecommunications companies in one year alone. Under the current Prime Minister, staggering numbers like this show that something needs to change, and it starts with this bill.

The Conservatives' hesitation to accept amendments to this bill makes me question whose interests they are truly protecting. Are they protecting the interests of Canadians, who deserve to trust that their personal information will be protected, or are the Conservatives protecting their own self-serving interests?

We would like to see this bill contain a mandatory data loss or data breach reporting mechanism. However, the bill in its current form would most likely result in fewer breaches being reported. It would be up to the organization that suffered the breach to determine if the breach posed a real and significant risk of harm. Companies want to save their reputation and money, so why would they inconvenience themselves by reporting a potentially embarrassing breach of privacy that could cause consumers to lose trust in them when they could just hide it instead?

There would be no incentive to report a breach and no advantage to doing so. This is a conflict of interest that would deprive Canadians of the information that they need to make informed choices about which companies they decide to share their personal information with.

Furthermore, because of the Conservatives' inaction, PIPEDA, which is supposed to be updated every five years, is falling far behind international standards. Since the first statutory review in 2007, subsequent attempts to amend PIPEDA have died on the order paper. After this long wait to update PIPEDA, the bill would simply not go far enough to protect Canadians in this digital era. We as Canadians are getting the message that the government does not take the protection of personal information seriously.

I, along with my fellow NDP members, truly do not ask for much when it comes to this bill. We have long called for the modernization of Canadian privacy laws. They are not up to date. Instead of making it easy for companies to share our information, the government should put deterrent penalties put in place that would require or encourage these private companies to respect and follow Canadian laws. Following that, we insist that the provisions in Bill S-4 to allow organizations to share personal information without consent or a warrant be removed and that the loopholes in PIPEDA, which do the same thing, be closed.

The point of the Constitution and the Canadian Charter of Rights and Freedoms is to protect the very rights and freedoms contained within them. Warrantless access to our subscriber data and personal information most definitely poses a risk to Canadian privacy.

Modernizing the laws that govern the protection of personal protection is an important issue in the digital age. However, ramming through a bill that has huge holes, such as this bill, is not a fix that can make up for years of inaction by the current government. I urge the Conservatives to accept the amendments to this bill so that we can work collaboratively to ensure that all Canadians can trust that their personal information is being protected to the best of the government's ability.

One of the other things that was very troubling was seeing time allocation moved for the 97th time. Time allocation basically puts closure on this bill. It does not allow for all of the members to bring the views of their constituents into the House, which is one of our primary jobs.

This is the 97th time the Conservatives have done it and I can assure you, Mr. Speaker, they are not going to get the chance after October 19, because Canadians are tired. They have seen democracy and the workings of democracy crumble. These guys are going to be out.

Mr. Speaker, the Conservatives came to the committee study of this bill with their minds already made up. They said that we absolutely had to pass this bill in its current form without any changes, otherwise the process would take too long, especially with the upcoming election. Everyone in the House knows that we will be having an election soon, but the Conservatives had four years to do something.

The member even said in his speech that this bill was overdue and that it was needed. Of course this bill is long overdue, because the Conservatives waited four years before they introduced anything. Bill C-12 disappeared completely, and some reviews of PIPEDA simply fell through the cracks because the Conservatives did not act. They could have voted in favour of my bill, Bill C-475, and the legislation would already be amended.

Why did they adopt that attitude at the committee meetings? How can they justify such an undemocratic attitude towards this bill?

Mr. Speaker, I thank my colleague for the question.

Indeed, the way this bill was examined is very problematic. From what I remember, and someone will correct me if I am wrong, this is the only time a bill has been sent to committee for study before second reading. In such a situation, one might think there are changes to be made, otherwise why would we do that? Furthermore, this exceptional measure would allow the committee to put forward amendments that go further than the strict substance of the bill, and it is therefore a good opportunity.

We were not able to seize the opportunity, however, because the Conservatives came into the committee room saying that we should just accept the bill, otherwise there would be no changes at all to the Personal Information Protection and Electronic Documents Act, or PIPEDA.

Yes, we are running out of time. We understand that. However, the Conservatives had many opportunities to amend this legislation. They waited for years to review PIPEDA as they were supposed to do, given that under the existing legislation, the act is supposed to be reviewed every five years. We could have passed my bill, Bill C-475, which could have become law. Bill C-12 disappeared. In short, they had many opportunities.

Instead, they dragged their feet for years. When we were hearing evidence and during the study in committee, they said that time was running out and we had to accept the bill as is. Well, that is no way to operate, especially in a democracy like ours.

Mr. Speaker, unfortunately we will oppose Bill S-4 for the reasons I will provide in my speech.

What I am especially disappointed about is that we all voted in good faith for this bill to be studied in committee before second reading. We told ourselves that we could perhaps work together to improve the bill and eliminate the most problematic parts or ensure that it would truly protect Canadians in the digital age. Unfortunately, that did not happen, even though we know that there are more and more risks associated with protecting personal information online.

For more than four years, we have been in Parliament with the same government that rejects all our motions and refuses to work with us in committee. This time, I do not know why, but I had hoped that we could work together.

Usually, a bill is sent to committee before second reading because there are problems with the bill and we want to make changes. Perhaps we want to change something or make changes to PIPEDA that go beyond the immediate scope of the bill. We had hoped to work together. Unfortunately, that did not happen.

That is why I moved three motions today to remove the most problematic sections from this bill. These motions will be voted on together.

We heard over and over that these two sections—clauses 6 and 7—are extremely problematic. These clauses will make it easier to share people's personal information without their consent and without them even knowing that their personal information is being shared. The government is trying to broaden the scope of situations in which information can be shared without consent. That is extremely problematic.

Obviously, there are sometimes extreme circumstances that require personal information to be shared. Such situations exist. Everyone knows that. We take issue with the fact that there is no transparency. There is no mechanism in place to ensure that this information is shared only in exceptional and urgent circumstances. What is more, the threshold of reasonable suspicion is very low.

As a result, we voted against these clauses when the bill was examined in committee. Unfortunately, the Conservatives decided to go ahead with them anyway.

We even proposed amendments to improve these clauses by restricting the kind of situations in which information sharing can happen and creating a system that encourages transparency. There has to be an accountability or oversight mechanism to ensure that this information sharing only happens under exceptional circumstances. That is really not the case.

As I said, we proposed amendments to improve the bill because everyone in the House of Commons knows that protection of personal information is a big issue right now, one that is really important to our constituents.

I even give computer security courses to seniors in my community because they want to understand how to use new technology and they want to have a certain level of confidence when it comes to protecting their information and their identity.

Everyone agrees that this is an important issue and that we have to update PIPEDA to ensure that it can better address the threats present in the digital age in the 21st century.

Unfortunately, the Conservatives' approach was to put something on the table and refuse to accept any amendments or listen to what the witnesses had to say. They just forged ahead.

All of the parties proposed amendments, except for the Conservatives, of course, and all of the amendments were rejected. The NDP even proposed 18 separate amendments that were all rejected.

Most of all, I deplore the fact that from the beginning of the committee's examination of this bill before second reading, the Conservatives said they did not want to change anything. Why should we bother voting to send something to committee before second reading if, from the beginning, the Conservatives have already decided that they will not change anything? It makes no sense. It also demonstrates bad faith. We are supposed to examine bills with an open mind and a desire to improve them, correct their shortcomings and work together. That is what it means to live in a democracy.

The Conservatives even insulted some of the witnesses during the study in committee, telling them that they could choose to either vote for the bill in its current form or accept that there would be no changes to the Personal Information Protection and Electronic Documents Act before the next election. I understand we are having an election soon, but the Conservatives had plenty of opportunities to modernize the Personal Information Protection and Electronic Documents Act. There was Bill C-12, which simply disappeared because of prorogation. The bill that I introduced in the House contained very similar provisions to the ones found in Bill S-4, but the Conservatives voted against my bill.

These changes could have already been in the legislation. Unfortunately, the government suddenly says the timeframe is too tight and the only thing we can do is pass the bill as is despite all its problems and flaws. The government simply wants to pass the bill as is. I think the Conservatives are being disingenuous about this. To tell all the witnesses that the choice is between this bill and nothing is really insulting to them after they took the time to travel here to share their opinions and present their proposed changes.

Since the government rejected all the amendments and we did not manage to improve the bill, the NDP will have to vote against it even though we recognize that some provisions are a step forward, although they do not go as far as they should. Nonetheless, I cannot vote in favour of a bill that will create more opportunities for personal information to be shared without consent, without authorization, without the individual concerned being informed, and without a proper oversight mechanism. That is what this bill would do.

Clauses six and seven, which my motions would eliminate, will weaken the protection of privacy by allowing the sharing of personal information without the consent and authorization of the individual concerned. I already stated that the threshold was very low. I proposed raising the threshold so that the organization asks questions before sharing this information. The Conservatives refused. The Privacy Commissioner even raised concerns about this provision. He said that it could open the door to abuses, and that is what we found. This government made 1.2 million requests to Internet service providers to obtain personal information as a result of flaws in the Personal Information Protection and Electronic Documents Act. There have been actual abuses. As members of Parliament, we cannot consciously open the door to further abuses. However, that is exactly what clauses six and seven of this bill do.

I will now read what the Privacy Commissioner said at the February 17, 2015, meeting of the Standing Committee on Industry, Science and Technology:

Under the proposed amendments, potentially any organization will be able to collect or disclose personal information for a broad range of purposes without any mechanism to identify which organizations are collecting or disclosing the information and why.

This is very problematic because according to its title, this bill is supposed to create the digital privacy act. I am sorry, but there is a problem when parts of the bill contradict its objective. You do not have to be a genius to understand that.

I would like to share a quote from Michael Geist, who also testified at the Standing Committee on Industry, Science and Technology on March 10, 2015:

...the broad provision that we have here opening the door to massive expansion of non-notified voluntary disclosure without any of the kinds of limitations that we typically find even the courts asking for should be removed....With respect, it is both not well studied and ought to be fixed. Canadians deserve better.

He also took the opportunity to disagree with the process that the Conservatives put in place and the idea that we should pass this bill without amendment because we are out of time.

The warning mechanism for a data security breach proposed in the current bill is another problem. Many parliamentarians understand the need for such a mechanism. This was brought up in the committee on which I sit, the Standing Committee on Access to Information, Privacy and Ethics, while we were studying this bill.

As the Privacy Commissioner has said many times, we must require that organizations notify individuals when their data are compromised. In a number of cases, as with Target and Home Depot, the data of thousands of people have been compromised or lost completely. Since the people in question are not always informed, they are not in a position to protect the compromised data. That is a huge problem.

Bill S-4 fixes this problem but does not really go about it in the right way. The proposed model is much too subjective because it allows the organizations themselves to determine whether a data breach creates a real risk of significant harm to an individual. The organizations therefore have to police themselves. They also decide for themselves whether to inform, or not, the Privacy Commissioner and the individual affected of any data breaches that occur.

The model that I am proposing is more objective. I proposed it before when we were examining this bill in committee and when we were examining my private member's bill, Bill C-475, which could have been passed already had the Conservatives not voted against it. This model would give the Privacy Commissioner the power to determine whether a security breach is serious enough to inform the individual. Thus, it would not be up to the organizations to do it.

What is more, PIPEDA covers all organizations, from convenience stores to large digital technology corporations. Some organizations, such as convenience stores that have only a couple of employees, are unable to determine how serious a data breach is. It is therefore important to allow them to turn to an expert, namely the Privacy Commissioner.

I would like to read a quote from John Lawford, the executive director and general counsel for the Public Interest Advocacy Centre, who testified before the Standing Committee on Industry, Science and Technology on February 19, 2015. He said:

Unfortunately, Bill S-4, as written, will very likely result in fewer reported breaches than even now and operate in an opposite manner. Namely, it will create a culture of fear, recrimination, and non-reporting. Bill S-4, incentivizes not reporting data breaches by leaving the determination of whether a breach creates a real risk of significant harm to an individual totally in the hands of the organization that suffers the breach. This obvious conflict of interest is fatal to the purpose of the bill as there is no advantage to a company to report and every advantage to hide a data breach.

As he said, the proposed mechanism is much too subjective. It is unfortunate that the Conservatives refused to implement a more objective system.

This bill does not give the Privacy Commissioner the power to issue orders. The former privacy commissioner, Jennifer Stoddart, asked for that repeatedly. Provincial privacy commissioners also wanted it because they have that power.

All too often, organizations do not act on recommendations made following an investigation by the Privacy Commissioner. Big international companies do not think they need to comply because it is just Canada, but Canada's laws must be respected. When our laws and the Privacy Commissioner's recommendations are constantly ignored, we need to fix that problem.

We could give the Privacy Commissioner the power to issue orders, but there is nothing about that in the bill. Instead, it calls for compliance agreements, which do not go far enough and do not really motivate organizations to act on the recommendations because they are not orders. We wanted to fix this problem, but once again our proposal was rejected.

I would have liked them to adopt the model I proposed in Bill C-475. I suggested following the usual investigation procedures, after which the commissioner would issue orders and set a deadline for compliance. The parties would act in good faith. For example, if problems were not resolved within a year, the Federal Court would impose a fine.

This system would give organizations that comply with the law and the recommendations a chance, with no repercussions whatsoever. However, if we do not find a solution and do not encourage organizations to respect privacy, there will continue to be abuse, and the law and the Privacy Commissioner's recommendations will continue to be ignored.

Bill S-4 is a step in the right direction, but it does not go far enough. That is what I said throughout the entire study. As a matter of fact, some witnesses also said it was important to have a system that truly encourages privacy protection.

What is more, given that we studied this bill in committee before second reading, we had the opportunity to correct other problems with the Personal Information Protection and Electronic Documents Act, because we knew there were some flaws. Under what circumstances is it acceptable for the government to submit at least 1.2 million requests a year for personal information to Internet service providers? This is a serious problem, but nothing is being done about it.

I thought we could sit down as parliamentarians and come up with ways to put oversight and transparency mechanisms in place and even get rid of these flaws and abuses. This was a missed opportunity.

Recently, the Supreme Court established in Spencer what was reasonable and not with regard to privacy protection. Unfortunately, that ruling was not taken into consideration during the study in committee. The Personal Information Protection and Electronic Documents Act was not amended in order to make it consistent with the Supreme Court ruling. That needs to be done. The government needs to show some vision and correct these flaws to provide better protection of Canadians' privacy because that is what Canadians deserve.

Thank you.

Mr. Chair, this is essentially a reiteration of Madam Borg's Bill C-475, which we think is a great model on this topic and we would like to acknowledge her hard and competent work on this file.

The creation of compliance agreements is a step in the right direction, but order-making powers need some form of direct regulatory action such as administrative and monetary penalties. Without such an incentive—you might even call it a threat—it is difficult to see why an organization would enter into such an agreement. Reforms are needed, with real penalties to ensure compliance.

Thank you, Mr. Chair.

(Amendment negatived [See Minutes of Proceedings])

(Clause 15 agreed to on division)

(Clause 16 agreed to on division)

Thank you, Mr. Chair.

In testimony on Bill S-4 we heard a lot of different opinions on the implementation of a notice mechanism for data breaches. This is a contentious point. In fact I examined this at length when drafting my bill. I am referring here to Bill C-475 which was unfortunately defeated because of the Conservative Party.

Through this amendment, I want to propose a more objective threshold. Indeed, I would like the Privacy Commissioner of Canada to be responsible for assessing the prejudice the person whose data has been lost, breached, and so on could suffer.

This legislation does not only apply to large businesses, but also to small ones. However, small enterprises do not necessarily have the necessary means to determine if the data breach is serious. These businesses could turn to the Privacy Commissioner of Canada. He knows these issues and is in a position to determine whether the data breach justifies notifying the person.

Moreover, this amendment would allow the Privacy Commissioner of Canada to order organizations to inform the persons concerned. This would also force organizations to notify people and would give the commissioner a little more power. Indeed, he could ensure that the privacy of individuals dealing with the organizations is respected.

I think this threshold is more objective, that it would afford better privacy protection, and that it would reduce the burden on small businesses.

Thank you.

But why didn't you use a more objective criterion, such as the one in Bill C-475, which was introduced in 2012?

Since the government's bill is modelled after Bill C-475, why wasn't a more objective criterion used?

Bill S-4 would require organizations in the private sector to report any loss or breach of personal information. But the criterion on which that mandatory reporting is based is subjective. In fact, the bill allows organizations to determine, themselves, if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

Why didn't the government choose a more objective criterion as the basis for that determination, such as the one proposed in Bill C-475, An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), which was introduced by my colleague?

Mr. Speaker, I rise today to speak to Bill S-4, which amends Canada's privacy legislation. However, in its current form, Bill S-4 contains measures that will make it easier to access personal information without a warrant.

By proposing to refer this bill to a committee before second reading, the government has decided to take a new legislative route with this bill.

Indeed, the government motion aims to refer this bill to a committee before second reading. This motion will therefore allow members to examine Bill S-4 before second reading and propose amendments that will modify its scope.

We support the motion, because we hope that some of the serious concerns we have about this bill will be examined in committee. We are very concerned about the fact that one provision in Bill S-4 makes it easier for organizations to share personal information without a warrant or consent from the client, and without the appropriate oversight mechanisms in place.

In an article published in the spring 2014 journal of the Ligue des droits et libertés, Stéphane Leman-Langlois, the Canada Research Chair in Surveillance and the Social Construction of Risk at Laval University in Quebec City, gave a very clear explanation of the risks associated with industrial surveillance.

Here is what he had to say in that article:

We easily forget that every second of the day, a myriad of private entities are collecting a mountain of information on us, our habits, our behaviour, and our interactions with others...

A number of commercial entities have to collect basic information on their clients just to provide them with the service they require. A mobile phone could not work without continually indicating its location. The company also has to keep records, for billing purposes, on the calls received and made with the phone...

As you can imagine, this adds up, and after a while can represent massive amounts of data...

The information that metadata can provide about us is absolutely unbelievable. An ongoing experiment at Stanford University, with 500 volunteers willing to share their metadata, has shown that the researchers could determine financial records, health status, membership in the AA, whether the individual had an abortion or owned a gun, and many other things...

Just recently, the spotlight was on certain government intelligence agencies that were deeply involved in the widespread collection of information on Canadians. The agencies in question were specifically the RCMP, the Communications Security Establishment Canada, or CSEC, the Canadian Security Intelligence Service, or CSIS, and the National Security Agency, or the NSA, from the U.S.

Often...these agencies stop collecting or actively intercepting data and simply demand data that has already been gathered by companies...

All this may seem remote from our daily reality...but this activity has a perfectly tangible impact on our lives as ordinary citizens...

The picture being painted by Professor Leman-Langlois of Laval University, should make us realize the importance of the subject being debated today.

However, this is what this same professor and expert in security information had to say on the government's current position:

We can all agree that there is not very much privacy on the Internet, but still, there are some very weak protections in place. However, rather than strengthening privacy, which of course would be the best thing to do, the government is bombarding us with bills that will reduce those protections.

Although Bill S-4 proposes significant amendments to the Personal Information Protection and Electronic Documents Act, such as the obligation to report any breach of security safeguards involving personal information and increased powers for the Privacy Commissioner, the NDP is worried about the negative impact that some provisions of the bill will have on Canadians' privacy rights. The Conservatives have a very poor track record when it comes to protecting personal information, and Bill S-4 will not fix this troublesome past.

In just one year, government agencies secretly made over 1.2 million requests to telecommunications companies for personal information without a warrant or proper oversight. What is more, according to documents we obtained, the Canada Revenue Agency was responsible for more than 3,000 privacy breaches in less than a year. Last month, here in the House, I asked whether the government intended to follow the NDP's recommendation to set up a committee of independent experts to look at how the government uses and stores Canadians' communications data. However, as usual, the government had nothing to say. The Conservatives never gave me an answer to my question. The government should have taken advantage of the opportunity afforded by Bill S-4 to correct the flaws in PIPEDA that led to repeated violations of Canadians' privacy.

In 2012, the NDP introduced Bill C-475. This bill would have added online data protection standards to federal legislation that are similar to those in Quebec's personal information protection act. Quebec's data protection standards would have been applied to all federally registered organizations and to organizations with customers and users in Quebec. The Conservatives opposed our bill, and now they have introduced a watered-down version of the same bill.

The NDP believes that Canada needs to require mandatory reporting of the loss or breach of personal information based on objective criteria, as proposed in Bill C-475. The NDP also wants to remove the provisions from Bill S-4 that allow organizations to disclose personal information to other organizations without the consent of Canadians and without a warrant.

In order to truly protect Canadians' privacy, deterrents should be put in place to encourage or force private companies to abide by Canadian laws.

That is what the NDP is proposing, and we hope that the government will listen to us in committee, because that is what we are asking for. We think we need to get to the point, and that is why we are here. If this is not done properly, we would certainly need a committee of independent experts. As I said, I think the solution is there, but as we have seen too often, the Conservative government cuts corners and we end up with something like this.

I will now take questions.

Mr. Speaker, yet again, I listened with great interest to my Conservative colleague's speech.

I have a more specific question for him. I agree that a data breach notification requirement is essential. I even proposed a similar measure in my Bill C-475, which the member voted against.

In my model, I proposed an objective mechanism that would not make organizations themselves responsible for determining whether the data breach or leak was significant enough to notify the client concerned.

What Bill S-4 proposes is really subjective. It would have the organization make its own determination. Many lawyers, experts and academics have found this approach problematic. Does my colleague think that this approach is problematic?

Mr. Speaker, I would like to thank the hon. member for Terrebonne—Blainville, who is our digital issues critic.

I would like to congratulate the official opposition for taking initiative and appointing a digital issues critic. We understand the complexity of these issues, which require an approach that balances rapid technological advances and the protection of privacy.

Her bill, Bill C-475, was a commendable initiative. The legislative summary that was prepared stated that the bill aimed to improve the protection of private information. We have to wonder why the government did not support such a worthwhile initiative.

We continue to point out that the government sometimes lacks a balanced approach. It sometimes freely grants the authority to monitor people without a warrant.