Digital Privacy Act

An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act

This bill was last introduced in the 41st Parliament, 2nd Session, which ended in August 2015.

Status

This bill has received Royal Assent and is now law.

Summary

This is from the published bill. The Library of Parliament often publishes better independent summaries.

This enactment amends the Personal Information Protection and Electronic Documents Act to, among other things,

(a) specify the elements of valid consent for the collection, use or disclosure of personal information;

(b) permit the disclosure of personal information without the knowledge or consent of an individual for the purposes of

(i) identifying an injured, ill or deceased individual and communicating with their next of kin,

(ii) preventing, detecting or suppressing fraud, or

(iii) protecting victims of financial abuse;

(c) permit organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of an individual, personal information

(i) contained in witness statements related to insurance claims, or

(ii) produced by the individual in the course of their employment, business or profession;

(d) permit organizations, for certain purposes, to use and disclose, without the knowledge or consent of an individual, personal information related to prospective or completed business transactions;

(e) permit federal works, undertakings and businesses to collect, use and disclose personal information, without the knowledge or consent of an individual, to establish, manage or terminate their employment relationships with the individual;

(f) require organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner;

(g) require organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control;

(h) create offences in relation to the contravention of certain obligations respecting breaches of security safeguards;

(i) extend the period within which a complainant may apply to the Federal Court for a hearing on matters related to their complaint;

(j) provide that the Privacy Commissioner may, in certain circumstances, enter into a compliance agreement with an organization to ensure compliance with Part 1 of the Act; and

(k) modify the information that the Privacy Commissioner may make public if he or she considers that it is in the public interest to do so.

Elsewhere

All sorts of information on this bill is available at LEGISinfo, provided by the Library of Parliament. You can also read the full text of the bill.

Votes

June 18, 2015 Passed That the Bill be now read a third time and do pass.
June 18, 2015 Failed That the motion be amended by deleting all the words after the word “That” and substituting the following: “this House decline to give third reading to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, because it: ( a) threatens the privacy protections of Canadians by allowing for the voluntary disclosure of their personal information among organizations without the knowledge or consent of the individuals affected; ( b) fails to eliminate loopholes in privacy law that allow the backdoor sharing of personal information between Internet service providers and government agencies; ( c) fails to put in place a supervision mechanism to ensure that voluntary disclosures are made only in extreme circumstances; ( d) does not give the Privacy Commissioner of Canada adequate order-making powers to enforce compliance with privacy law; and ( e) proposes a mandatory data-breach reporting mechanism that will likely result in under-reporting of breaches.”.
June 2, 2015 Passed That Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, as amended, be concurred in at report stage and read a second time.
June 2, 2015 Failed
June 2, 2015 Failed
May 28, 2015 Passed That, in relation to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, not more than one further sitting day shall be allotted to consideration at the report stage and second reading stage of the Bill and one sitting day shall be allotted to consideration at the third reading stage of the Bill; and That, 15 minutes before the expiry of the time provided for Government Orders on the day allotted to the consideration at the report stage and second reading stage of the said Bill and on the day allotted to consideration at the third reading stage of the said Bill, any proceedings before the House shall be interrupted, if required for the purpose of this Order, and, in turn, every question necessary for the disposal of the stage of the Bill then under consideration shall be put forthwith and successively, without further debate or amendment.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 4:55 p.m.
See context

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, I am pleased to rise in my place today to speak to Bill S-4, the digital privacy act.

Last year our government launched digital Canada 150, an ambitious plan for Canadians to take advantage of the opportunities of this digital age. It is a broad-based ambitious plan to take full advantage of the digital economy as we celebrate our 150th anniversary in 2017. It is the next step to build our nation and to connect Canadians to each other. As the digital economy grows, individual Canadians must have confidence that their personal information will be protected. That is why under digital Canada 150, one of the five pillars is known as “protecting Canadians”.

The digital privacy act would provide important and long awaited updates to our private sector privacy law, the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA. PIPEDA provides a legal framework for how personal information must be handled in the context of commercial activities while also setting guidelines for the collection, use and disclosure of personal information.

These rules are based on a set of principles developed jointly by government, industry groups and consumer representatives. The digital privacy act would strengthen marketplace rules set out by PIPEDA in important ways. In addition to protecting and empowering consumers, the amendments would clarify rules for businesses and reduce red tape.

These guidelines would ensure that vital information is available to Canadian businesses so that they have the necessary tools to thrive in a global economy. Balancing individual expectations for privacy and the need for businesses to access and use personal information in their day-to-day operations is important. Bill S-4 gets this right. It assures individuals that no matter the transaction, their personal information will continue to be protected under Canadian law.

The need to update the rules for online privacy continues to grow. Breaches of personal information held by retail giants like Target and Home Depot, where the credit card information of millions of Canadians was stolen, underscore the need to strengthen PIPEDA with mandatory breach requirements. The bill before us does exactly this by establishing new requirements for organizations to inform Canadians when their personal information has been lost or stolen and there is a risk of harm. The Privacy Commissioner will also be notified.

An organization that deliberately covers up a data breach or intentionally fails to notify individuals and report to the commissioner could face significant fines as a result.

Let me now take a minute to point out some of the ways in which the bill before us creates an effective streamlined regime for reporting data breaches. The digital privacy act establishes a clear and straightforward test that businesses must apply to determine whether or not they are required to report a breach.

If a business determines that the data breach creates a significant risk of harm to a customer or client, then it must report this information both to the individual affected and the Privacy Commissioner.

If the organization determines that the data breach does not pose a risk of significant harm, that is, its data security safeguards were compromised but it avoided a situation where the customers are exposed to a threat, like identity theft, fraud or humiliation, then that organization must keep a record of that breach.

The requirement to maintain these records, even if the breach is determined not to be serious at the time, serves two purposes. First and most important, it requires companies to keep track of when their data security safeguards failed, so that they can determine whether or not they have a systemic problem that needs to be corrected.

An initial breach may not be serious because the information lost is not particularly sensitive. The next time, however, the company and the individual affected may not be so lucky. Keeping track of these breaches will help companies identify potential problems before individual privacy is seriously harmed.

Second, these records provide a mechanism for the Privacy Commissioner to hold organizations accountable for their obligations to report serious data breaches. At any time, the Privacy Commissioner may request companies to provide these records which will allow the commissioner to make sure that organizations are following the rules.

If companies choose to deliberately ignore these rules, the consequences as set out under the digital privacy act are serious. Bill S-4 would make it an offence to deliberately cover up a data breach or intentionally fail to notify individuals and report it to the commissioner.

In these cases, organizations could face a fine of up to $100,000 for every individual they fail to notify. These penalties represent one way that the digital privacy act would safeguard the personal information of Canadians.

The Privacy Commissioner of Canada strongly supports the proposed data breach rules in Bill S-4. He told the standing committee:

I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill. Proposals such as the breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians....

Similarly, the Canadian Bankers Association voiced its support for these amendments, telling the committee:

The banking industry supports the requirements in the digital privacy act for organizations to notify individuals about a breach of their personal information where there is a risk of significant harm. We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

I have been discussing the data breach rules which are a very important element of the bill before us. I would like now to turn my attention to four ways that Bill S-4 would strengthen Canada's privacy rules.

First, the bill establishes strong consent requirements to protect vulnerable individuals online, particularly children. These enhanced consent provisions were introduced as a result of recommendations made by Parliament during the first statutory review of PIPEDA.

Under PIPEDA, organizations need to obtain an individual's consent to collect, use, or disclose their personal information. Under the bill before us, an individual's consent would not be considered valid unless the way the information will be used is clearly communicated in language appropriate to the target audience.

For example, some businesses operate online playgrounds or educational websites that target children and collect personal information of children that is used for marketing and other purposes. Bill S-4 requires that the language used to obtain consent must be such that a child could reasonably be expected to understand the nature, purpose and consequence of sharing his or her personal information. If the consent request is too complicated for the child to understand, the consent would not be valid.

Again, the Privacy Commissioner of Canada supports this amendment. He told the committee:

I think it would be useful to further clarify that consent is to be evaluated from the perspective of the person whose consent is invoked. Organizations would be asked to put themselves in the shoes of various clientele from whom they are collecting information so that consent is as meaningful as possible.

Second, Bill S-4 seeks to harmonize federal laws with provincial privacy protection laws when it comes to a sharing of personal information without consent in narrow, limited circumstances.

PIPEDA already provides for a number of circumstances where personal information can be shared without consent when it is clearly in the public interest to do so. The amendments in Bill S-4 would add to this by allowing information to be shared in order to protect seniors and other vulnerable individuals from financial abuse or neglect, communicate with the family of an injured or deceased individual, or identify a victim of an accident or a natural disaster.

In his testimony before the standing committee, Mr. Marc-André Pigeon, director of financial sector policy at Credit Union Central of Canada expressed his strong support for Bill S-4 and the financial abuse amendment. He said:

In general, we think Bill S-4 does a lot of things right. We are especially pleased with the provisions that would make it easier for credit unions to share personal information with the next of kin or authorized representatives when the credit union has reasonable grounds to suspect that the individual may be a victim of financial abuse.

The third way that Bill S-4 would strengthen PIPEDA would be through changes that would support day-to-day business operations. The digital privacy act would remove unnecessary red tape for businesses by allowing for the collection, use and disclosure of personal information without consent in the context of specific legitimate business activities. For example, Bill S-4 would allow information to be more readily available in order to conduct due diligence in the context of mergers and acquisitions.

Similarly, the digital privacy act would allow businesses to share any type of business contact information in order to carry out normal business activities. It is simply ridiculous that PIPEDA allows an employee to share an office phone or fax number, but not an email address. Bill S-4 would fix this problem, a solution supported by the Retail Council of Canada. It told the committee:

—we support the clarification on the exclusion of business contact information...This section 4 clarification will better equip businesses to conduct their ongoing operations.

Finally, the digital privacy act would make existing compliance tools stronger and more effective. PIPEDA is enforced by the Privacy Commissioner of Canada who can turn to the Federal Court when an organization is found to break the rules. Bill S-4 would also give Canadians the option of taking an organization to Federal Court to order an organization to change its practices or to seek damages.

While the digital privacy act would keep those options open, it would also provide an alternative to court action such as voluntary compliance agreements. Under a compliance agreement, organizations would voluntarily commit to take action to comply with the law to avoid costly legal action. The agreements would be legally binding and would allow the commissioner to hold organizations accountable to follow through on their commitments to private privacy protection.

Again, the Privacy Commissioner expressed his strong support for this tool when he appeared before the standing committee. He said that the compliance agreement amendment was “very necessary” and “helpful for us to implement and apply”.

Canadian organizations care about their reputation and they know that sound privacy practices will have a lasting impact on the legitimacy of their brand. They also know that the reverse is true, that if their customers find out about shoddy privacy practices, their businesses will suffer. This is why the digital privacy act would give the Privacy Commissioner broader powers to name and shame a non-compliant organization to encourage it to take corrective action.

If either of these measures fail to provide the right incentives for businesses to fix their privacy problems, Bill S-4 would give the Privacy Commissioner more time to take them to court. Under the current law, the commissioner only has 45 days after he finishes the investigation to take the organization to court.

The Privacy Commissioner told the standing committee that it was simply not enough time, given the high complexity of issues with which his office dealt. Quite often, the Privacy Commissioner will work with organizations for several months, if not a year, to ensure they follow through on their commitments to fix any problems he has identified. The problem, of course, is that organizations can simply delay taking action for a couple of weeks, knowing that after 45 days, the commissioner will no longer have the option to take them to court. Bill S-4 would fix this problem and would provide the commissioner with a year to take an organization to court for non-compliance.

I have just outlined the five major provisions in Bill S-4, which include: new data breach rules; clear requirements when obtaining consent from individuals, including from minors; changes to support other public interest objectives, like fighting financial abuse; reducing the red tape for day-to-day operations; and new compliance tools for the Privacy Commissioner of Canada.

It is clear that Bill S-4 would deliver a balanced approach to protect the personal information of Canadians, while still allowing the information to be available to the growing, innovative digital economy.

Karl Littler, vice-president of Public Affairs at the Retail Council of Canada, summed it up best when he told the standing committee:

Generally speaking, Bill S-4 strikes the right balance between action to protect digital privacy on digital fraud and financial abuse, while recognizing the strengths of PIPEDA and its forward-thinking technologically neutral approach.

We have it right with this digital privacy act. Both businesses and consumers have been empowered in this digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.

Bill S-4, the digital privacy act, would strengthen the rules protecting personal information, and that is essential to conduct business in virtually all sectors of the economy. The digital privacy act would go a long way to improving the protection of privacy for Canadians. I urge hon. members to join me in supporting this bill.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:10 p.m.
See context

NDP

Ève Péclet NDP La Pointe-de-l'Île, QC

Mr. Speaker, I heard my colleague mention amendments. However, the Conservatives rejected one of our critical amendments that was supported by many witnesses. That is rather problematic. We wanted to work with the Conservatives, but as usual, they turned a deaf ear in committee and refused to work as a team.

Why did they once again refuse to accept our amendments, which would have corrected and improved the bill so that we could better protect Canadians? As it now stands, Bill S-4 is still quite flawed. For example, it leaves it up to the companies to enforce the regulations, which is unacceptable.

I would therefore like my colleague to explain why the Conservatives rejected our amendments.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:10 p.m.
See context

Conservative

Joe Daniel Conservative Don Valley East, ON

Clearly, Mr. Speaker, when the committee looked at the amendments, they were not considered suitable or applicable at that stage. There is a lot of confidence in the companies that we are working with and that are working on these. The recommendations in this bill came from the companies, as well as all the industries, et cetera. Therefore, I do not think there was any need for those changes to be admitted in.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:15 p.m.
See context

Liberal

Ted Hsu Liberal Kingston and the Islands, ON

Mr. Speaker, I would like to repeat the question of my hon. colleague on the opposition benches. I want to ensure that the government member really believes this is the best possible bill we could pass in the House of Commons, since we are at third reading debate.

Forty-two opposition amendments were passed over, I understand, with very little discussion, explanation or even defence of the rejection of those amendments. It is really a simple question, and perhaps my hon. colleague has already answered it. However, I would like him to say clearly whether he believes this is the best possible bill we could pass.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:15 p.m.
See context

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, on any bill that comes through the House, the question can be asked whether it is the best bill. We believe this is the best bill we have for this time, for this place, for now, in protecting the privacy of Canadians who are working in this digital economy. We believe these things will strengthen PIPEDA and close the gaps. That is why we have submitted it.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:15 p.m.
See context

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, our government understands the need for businesses to conduct normal, everyday activities, and not be inundated with red tape, while at the same time maintaining the privacy of Canadians.

The digital privacy act proposes common sense changes that recognize that companies need access to and the use of personal information to conduct legitimate business activities, for example, taking a merger and acquisition process, an insurance claim, or sharing an employee's email address and fax number with another company in those circumstances. These important fixes were introduced in response to unanimous recommendations made during the first parliamentary review.

The digital privacy act would reduce the unnecessary red tape for businesses, while also maintaining and protecting privacy rights for Canadians.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:15 p.m.
See context

NDP

Rosane Doré Lefebvre NDP Alfred-Pellan, QC

Mr. Speaker, it is truly a pleasure for me to ask my colleague opposite a question on behalf of my constituents from Alfred-Pellan in Laval.

In the bills that the Conservatives introduce, the devil is often in the details. When examining the proposals set out in Bill S-4, I had some concerns that I would like to raise.

One of those concerns in particular reminds me of the nightmare of Bill C-51 and its lack of a proper oversight mechanism. Bill S-4 presents the same type of problem. It would allow greater access to personal information without a warrant and without provisions for an oversight mechanism.

In fact, I am wondering why the Conservative government is working so hard to allow snooping without a warrant and why it is creating bigger holes with bills such as Bill S-4.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:15 p.m.
See context

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, while we look at what the question is about, we already have this information in the system. This is information that people have put online with businesses they are working with to ensure that information is used for legitimate businesses. There is no need for a warrant for those sorts of information unless some criminal activity is going on, in which case there would be a warrant. I do not think there is any relevance to that question, to be quite frank.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:15 p.m.
See context

Liberal

Kevin Lamoureux Liberal Winnipeg North, MB

Mr. Speaker, when we look at the process of Bill S-4, is it any wonder that Canadians look at Ottawa and come to the determination that Parliament is broken? There is a need for real change, and the Liberal Party of Canada will be advocating for that.

Let us look at this bill. We have legislation before us that has some serious flaws. We had the opportunity in committee stage to make some changes with amendments. The majority government, over the years, has made the determination that it does not matter what kind of amendment it is if it comes from the opposition benches. It is an automatic default that amendments are bad unless they are Conservative amendments.

Will the member not recognize that this bill is faulty in the sense that the many amendments that were brought forward, whether from the Liberal Party or other opposition members, did have some merit to them? Would he not acknowledge that fact?

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:20 p.m.
See context

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, that was an interesting question.

Of course there is some merit in all of these things. This bill was specifically designed to fix some of the issues in PIPEDA. It would provide that oversight with the Privacy Commissioner. It would do everything that we need to do to fix the issues for now. Some of the changes that were proposed were not accepted for those various reasons. They were looked at and therefore rejected.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:20 p.m.
See context

Scarborough Centre Ontario

Conservative

Roxanne James ConservativeParliamentary Secretary to the Minister of Public Safety and Emergency Preparedness

Mr. Speaker, I listen to the remarks of my hon. colleague from Don Valley East. He talked a bit about fighting financial abuse. He went on to say something related to making it easier to contact a family member or next of kin when financial abuse was suspected.

Could the member tell us who might fall victim to this type of financial abuse and why the legislation is so important in order to protect these people?

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:20 p.m.
See context

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, there are several categories of people who are vulnerable: children who are now doing a lot more work online than many adults, and seniors who are also online and are likely to be subject to financial fraud, et cetera. The bill would allow for somebody to identify that there was a potential fraud taking place and would allow communication with somebody responsible for those people to analyze and see if these could be fixed. The bill ensures we make that provision for those people.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:20 p.m.
See context

NDP

Rosane Doré Lefebvre NDP Alfred-Pellan, QC

Mr. Speaker, I would like to ask my colleague across the way another question about Bill S-4.

According to some experts, many parts of Bill S-4 are unconstitutional. Why, then, will the government not simply take out the parts that are unconstitutional, especially in light of the Spencer ruling?

I would like my colleague to comment on that.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:20 p.m.
See context

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, as we reviewed the bill in committee, issues of unconstitutionality were never raised. Therefore, there does not seem to be a problem with it from that perspective. Bills go through the usual process of legal assessment before they are put forward, to understand whether that is the case. I do not think there is anything in there that is unconstitutional.

Digital Privacy ActGovernment Orders

June 17th, 2015 / 5:20 p.m.
See context

NDP

Murray Rankin NDP Victoria, BC

Mr. Speaker, it is a pleasure to rise and speak to Bill S-4, which would amend the Personal Information Protection and Electronic Documents Act, called PIPEDA. The bill has the rather misleading title of the digital privacy act.

I will be speaking against this bill for a number of reasons that have been articulated very well in past debates by the member for Terrebonne—Blainville, our digital issues critic. She has brought in a bill of her own. The government took parts of it and did not go as far as it needed to, to actually protect the digital privacy of Canadians.

I would like to, first, talk about why this is such an important bill. Second, I will talk about the history of getting it here. Last, I will talk about some of the critical problems with this bill and propose an amendment at the end of my remarks.

E-commerce is the backbone of the modern Canadian economy and it is only going to be more important going forward. Think of our children and their use of digital material.

My colleague, the member for Toronto—Danforth, made some comments about e-commerce and why this bill, which underscores legal protections for privacy and e-commerce, is so important. He said that the world's largest taxi company has no cars. It is the largest taxi company because it has personal information. It is called Uber.

The world's largest accommodations company, Airbnb, owns no property, but it is the richest and largest company because it owns personal information. The world's largest retailer has absolutely no inventory. He was referring to Alibaba in China.

As we move to what my colleague called the Internet of Things, by 2020, we will have 26 billion devices connected to the Internet. I hope that people appreciate that we are moving into an economy where we need to know the rules of the game and we need to know that our personal privacy in the private sector is protected. Business wants that certainty and consumers demand that what is left of their privacy be treated fairly by those private sector organizations that hold their information.

Canada is really in a unique position on the planet. We are halfway between the European Union, which has a very aggressive data protection regime, and the United States, which has sectoral legislation but not a comprehensive private sector law like PIPEDA, the bill that is before us in its amended form.

I say that we are halfway between those two regimes because, under PIPEDA, Canada has managed to create what is called a substantially similar regime to the European Union. That means that e-commerce companies in England, Ireland, France, and the 28 other countries that make up the EU can confidently share their personal information with Canadians because they know that they will have substantially similar protection. Canada achieved that. The United States does not have anything like that, so companies like Google and Facebook will often use Canada as a launching pad.

If we can make privacy protection sufficient in Canada, it will likely be sufficient for Europeans, who have had the most stringent requirements of privacy on the planet. It is important that we get this right.

It is amazing and very timely that we are having this debate at this time because on Monday of this week a clear signal was given by the Council of Ministers in the European Union that it is going to go for a regulation soon, not the directive that has been enforced for some time. After two years, all 28 countries will have to come up with an even more stringent regime.

That is why this bill is so problematic. It would not help small business, as I will describe, and it certainly would not give consumers the protection that the courts say that they are entitled to. I refer to the case of Spencer in 2014, where warrantless searches were said to be not on for Canadians, yet they seem to be just fine in this bill, which is odd. We need it get it right from a commercial point of view, as well.

I am indebted to Professor Michael Geist, who testified before the industry committee and the Senate, and who is so prolific and thoughtful in his analysis of private sector privacy legislation and other privacy regimes. He talks about how it is has taken us eight to nine years to get to this state.

I wanted to talk about this because the government's ineptitude in helping the e-commerce industry that I talked about and protecting the privacy of Canadians is on full display in the history of this bill.

The Conservatives tell us that it is urgent, that we must get on with it. Well, that is because they have dropped the ball, as I will describe in many ways. It has taken eight or nine years to get to this situation.

The Conservatives left an earlier version of a privacy bill sitting for two years in the House of Commons with no movement whatsoever and then it died at prorogation. How did that happen? In November 2006, the Standing Committee on Access to Information, Privacy and Ethics undertook its hearings on this reform. That was one year later than the five-year review process required by the act.

Just to back up, PIPEDA, the bill before us that is being amended, requires parliamentarians to review it after five years. They could not even get that deadline together.

In 2007, there was a report recommending certain things be done. Nothing seemed to happen. First reading was in 2010 for Bill C-29, the first PIPEDA reform. Second reading of the bill was in October. In September 2011 there was the first reading of Bill C-12, the second attempt to reform PIPEDA. That never got past second reading. It died when the government prorogued. Then another bill, this Bill S-4 was introduced in April 2014. This was the third try. Three strikes are lucky, I guess.

Here we are before Parliament with a bill that when it was in committee, the government said solemnly that it was urgent that we get on with it because it did not want to take a chance on any further delays and amendments. It is laughable the way the government treats the backbone of e-commerce, this privacy legislation. It has taken eight or nine years to get to where we are tonight. In the dying days of Parliament we are debating the legislation. It shows how important this must be to the government of the day.

In my riding, where we have a thriving e-commerce industry, with start-ups trying to develop apps and so forth, the bill is important and the government treats it with a history of neglect, which is the best way I can put the ineptitude I have described.

It is critical for small businesses, as I will describe, because they just do not have the wherewithal of large business to comply with some of the provisions of the legislation. I will come to that in a moment.

What does the bill do? Some of the things it does right is that it has finally agreed with endless Privacy Commissioner recommendations that there ought to be mandatory breach disclosure. If there has been a breach of data by a company, where it is sent to the wrong place and suddenly my personal information is found in the back of a taxi cab on a data stick, someone has to be told about it. That is pretty simple and obviously long overdue. That is a good thing to have in the bill.

Second, there are increased enforcement powers for the Privacy Commissioner, including the notion of compliance agreements that companies would enter into. This is a long-standing consumer protection approach that has now found its way into the bill.

According to experts, such as Mr. Lawford, testifying on behalf of the Public Interest Advocacy Centre, it would likely result in fewer reported breaches because it leaves the determination of whether a breach causes a real risk of significant harm entirely in the hands of the private sector companies.

Do the words “conflict of interest” seem to come up? They do and that obvious conflict of interest is fatal to the purpose of the bill. Why is a company going to want to blow the whistle on itself? It seems a bit odd and others have suggested, as has my colleague from Terrebonne—Blainville, in her Bill C-475, that it ought to be for the Privacy Commissioner, an independent officer of Parliament, to pass on that, not the industries themselves. That was the subject of much criticism in the industry committee, which studied Bill S-4.

That gives me a chance to talk about the attempt by the opposition to actually get meaningful debate in the industry committee. Since I got here, probably the most disappointing thing I have found is the government's utter indifference to any amendments unless they come from its side of the aisle.

There is an effort to have a real dialogue and to improve this and come up with a kind of unanimous support for something which is technical in nature, but the government said no to every single amendment, which, of course, in my experience is the way it does it every single time. I have been on two committees and I have not seen one amendment passed that anybody but the government proposes.

Trying to co-operate with the government to do something which is at the backbone of the new economy and it will not even talk to us. Apparently, that is how the government wants to do business. Fortunately, like so many Canadians, I hope that these are the dying days of a government with such arrogance and indifference to what Canadians want.

The efforts to try to fix this bill fell on deaf ears. My colleague, the digital critic from Terrebonne—Blainville, proposed that the Privacy Commissioner be the one who determined whether a data breach was significant enough to report, which makes sense, as opposed to the fox in the henhouse, where a company has to decided whether it is big or little.

That is not for banks to decide, whether they weigh their reputational risk that they might have versus consumers' rights. I know who could do that, an officer of Parliament. That would be the right person to do that. That is what my colleague suggested. The Conservatives propose putting the burden on companies.

Here is the problem with that, and not only the obvious conflict of interest but there are large companies, think banks, telecoms, companies of that size, that have departments that are responsible for privacy protection. More and more companies have what is called chief privacy officers to regulate this very technical area of the law.

They do a good job sometimes, but they often have this penchant that they obviously feel when they are trying to protect privacy, which is their job description, and not make a career-limiting move when information that is disclosed could cause harm, and the company would be angry with them and shoot the messenger. I have talked to CPOs in companies that tell me that the conflict is alive and well and I can understand that.

Small companies do not have these chief privacy officers, for example, to determine whether there is a significant breach or a significant risk of harm. They have no idea what to do. They want to co-operate, but they do not have the personnel or expertise to do it.

My colleague reasonably suggested that we give them a little help by letting them have access to the Privacy Commissioner's expertise and resources. Is that not a common sense provision? Is that not one that would help those small start-ups in the e-commerce industry that would really like the opportunity to do the right thing but do not have the budget to do it?

The economy in my community, the largest sector now, is not tourism or hospitality, it is high tech. The people who are producing the largest contribution to the Victoria economy are people who are just in this situation, wanting to understand the rules of the game in the new e-commerce, looking to the government to give them clarity, make it easy for them to do the right thing, so they can compete internationally, as they are doing so effectively, and to be onside with the European Union's incredibly stringent rules.

Guess what? They do not have a CPO, paid $150,000 a year or whatever, like the large banks would. The government has done nothing to assist them and they are angry about it. They do not understand why this so-called business-friendly government simply does not get it.

Some 18 amendments were proposed by the NDP and 18 amendments declined by the government of the day. We tried to work it out, but the government just wanted to jam it through. To add insult to injury, for the 97th time it used time allocation on a bill of a technical nature like this. I think the government is over 100 times now.

In the history of Parliament, has there ever been a government that has done this more often? I certainly do not know. I want to study it. I have a student looking at this because the arrogance and the anti-democratic behaviour of the government has to be exposed. The 97th time was for a bill on digital privacy. It is shocking and shameful that we are in this world today with this government.

The Supreme Court has told us that warrantless searches are wrong. They are unconstitutional. My colleague from Toronto—Danforth said we should send it to the court for a constitutional reference. We cannot have yet another loss in the Supreme Court. How many would that be? I have lost count. It is six or seven. How about having a reference to the Supreme Court of Canada?

The leader of the opposition asked for that today with respect to Bill C-51. The government, of course, would never do that. It just wants to go lose again in the Supreme Court.

The Spencer case in 2014 established that warrantless searches are a bad thing. How can the government then put these searches into Bill S-4, the bill before us, and pretend it is going to be constitutional? It is great work for lawyers. I have many friends who welcome the government's position because it is a make-work project for constitutional lawyers, but is it helping the Canadian taxpayers? Is it helping the e-commerce businesses, those little businesses from coast to coast that are struggling in this international economy? Do they have the clarity they need to go forward? Why do we have to waste our time with yet another Supreme Court loss by the government? It makes no sense.

Could the government have co-operated a little with people of good faith who wanted to make it better and solve this problem, as New Democrats tried to do in committee? One would think the government would welcome that, but it simply said no.

My next point is kind of a technical thing, but I want to raise it. We talked about breach notification, and I want to give an idea of how complicated this is for the little mom-and-pop or individual family businesses that are now arising in the economy. Clause 10, which would add section 10.1 to PIPEDA, talks about the kind of notification that is required when there is a breach. I want to give an idea of how complicated this can be and how lack of clarity means something.

Proposed subsection 10.1(5) says, “The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.”

Three times the word “prescribed” is mentioned, which means it will be prescribed by regulation to follow later. There would be regulations that would define the kinds of things that would have to be done to give notification of a breach. However, as an example, let us take a small business that is trying to do the right thing. When there is a breach, it wants to notify people immediately. What is it going to do? Until there are regulations, it is utterly meaningless.

I know the government will bring in regulations eventually. That is a good thing, and I am sure companies are looking forward to seeing them, but as they plan ahead in this incredibly dynamic sector, they do not have a clue, and neither do we. None of us can say what those prescribed requirements are, because “prescribed” means to follow later in regulations, regulations nowhere to be found. People will have to try to figure that out. People sitting in a little start-up in Victoria or St. John's or Toronto or Montreal will have to try understand how to work their way through this difficult bill.

It is a history of neglect. It is a history of failure to listen to the opposition, which wanted to work together to create this regime. It has a history of eight or nine years in coming to the dying days of Parliament, but we should not worry, because it is urgent now, according to the Minister of Industry.

New Democrats do not believe it.

Therefore, I move:

That the motion be amended by deleting all the words after the word “That” and substituting the following:

“this House decline to give third reading to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, because it:

a) threatens the privacy protections of Canadians by allowing for the voluntary disclosure of their personal information among organizations without the knowledge or consent of the individuals affected;

b) fails to eliminate loopholes in privacy law that allow the backdoor sharing of personal information between Internet service providers and government agencies;

c) fails to put in place a supervision mechanism to ensure that voluntary disclosures are made only in extreme circumstances;

d) does not give the Privacy Commissioner of Canada adequate order-making powers to enforce compliance with privacy law; and

e) proposes a mandatory data-breach reporting mechanism that will likely result in under-reporting of breaches.”