Bill S-4 (Historical)

Thank you very much, Mr. Chairman, and I appreciate the opportunity to come back, as you said, with my officials to talk about Bill S-4, the digital privacy act, which for me is a very important piece of legislation for a number of reasons: the context of the legislation in terms of Canada's digital policy moving forward but also our responsibility as a government, as a Parliament, to update our privacy legislation to protect Canadians.

But before I do that, I gather there were some changes in the committee membership, so I want to congratulate those of you who have been tasked to come onto this committee. As you know, the Department of Industry...and therefore your oversight of our activities, your advice, and constructive criticism, are of course an important part of our parliamentary function. To those of you who are on the committee, I look forward to working with you over the coming months as we move forward on pieces of legislation like this one here.

Thank you, Mr. Chair, for inviting me to appear before the committee today to discuss an important bill, the Digital Privacy Act, which is intended to better protect Canadians' personal information online.

You know, our government is focused on the mandate that we were given by Canadians back in 2011, to create jobs, focus on a growing Canadian economy and, as Minister of Industry, to move forward with an effective digital policy for Canada.

Also, we know that any government's plan that is centrally focused on the economy must of course have a robust engagement to strengthen Canada's digital economy. That's why last year I unveiled Digital Canada 150, our government's plan that sets clear goals for a connected and competitive Canada. It will help Canadians participate and succeed in our digital economy. One of the key pillars under Digital Canada 150 is the need to protect privacy.

The digital privacy act is an essential part of that goal. Our government understands that a strong digital economy requires strong protections for Canadians when they surf the web and when they shop online. The digital privacy act will modernize Canada's private sector privacy law by introducing important new protections for Canadians online. It sets clear rules for how personal information can be collected, used, and disclosed. It requires organizations to tell Canadians if their personal information has been lost or stolen and imposes heavy fines on companies that deliberately break the rules. It gives the Privacy Commissioner of Canada more power to enforce the law and to hold offenders to account. The bottom line is that it delivers a balanced approach to protect the personal information of Canadians, while still allowing information sharing to stop illegal activity when it occurs.

These are much-needed changes to Canada's private sector privacy law, the Personal Information Protection and Electronic Documents Act, or more commonly known as PIPEDA. PIPEDA “sets out the ground rules for how private sector organizations...collect, use or disclose information in the course of commercial activities” across Canada. This should not be confused with the Privacy Act, which deals with how the Government of Canada handles the personal information of Canadians.

Let me share with the committee four areas where the digital privacy act will significantly improve PIPEDA.

First...data breaches. Unfortunately, this is an all-too-familiar topic for Canadians in our digital age.

It may surprise the committee members to learn that, under the current legislation, businesses are not obligated to notify Canadians of security breaches involving data under their control.

In other words, if a company's data is compromised and a hacker gets a hold of your credit card number, the company is not under any obligation to notify you. That's a serious problem.

Last December, for example, Target revealed that a data breach had compromised millions of its customers' credit and debit card information. In September, Home Depot announced that a data breach perpetrated by unknown hackers left as many as 56 million debit and credit card customers across North America vulnerable to fraud. On October 10, Kmart disclosed, in the United States, that almost all of its 1,200 stores throughout the States had been attacked by hackers, putting credit card and debit card details of customers potentially in jeopardy. Later in October, Staples announced a suspected breach of its customers' credit card and debit card information as well.

Canadian online consumers need stronger laws to protect them from similar fraud here. The digital privacy act will make it mandatory for an organization to tell individuals if their personal information has been lost or stolen and whether or not it puts them at any risk.

Under the Digital Privacy Act, organizations will be required to notify individuals whose personal information has been lost or stolen and let them know whether they are at risk of harm as a result.

Companies will have to inform Canadians of the steps they must take in order to protect themselves, such as changing their credit card PIN or email password. These are crucial safeguards to protect Canadians, and yet they are not currently in place.

The digital privacy act has been praised by consumer rights groups and those in the retail industry for its balance. The Marketing Research and Intelligence Association has said that they support the mandatory breach notification requirements that are in the bill. The Canadian Marketing Association has said that they support the changes to breach provisions.

The digital privacy act will make it mandatory that organizations also report these potentially harmful breaches to the Privacy Commissioner. When there's a privacy breach, not only is the individual informed by law; the Privacy Commissioner is also informed by law. In fact it will be mandatory for all organizations to keep records of all data breaches as well. If the Privacy Commissioner makes a request for these records, they must be handed over. Once law, organizations that deliberately cover up privacy breaches and destroy records will face fines of up to $100,000 for every person or client that they intentionally fail to notify.

The Office of the Privacy Commissioner of Canada is on the record as supporting these amendments as being in the best interest of Canadians. In addition, in my home province, the B.C. privacy commissioner has also recommended to their provincial government that they adopt the same approach that we have taken in Bill S-4.

Second, our digital privacy act clarifies the rules around obtaining consent to protect vulnerable Canadians online, particularly children and seniors, when companies ask to collect and use their personal information. For example, when the owner of a website for children wants to gather information about visitors to the site, the owner will need to use language that a child could reasonably be expected to understand. If the child can't be expected to understand how the information will be used, the child's consent would not be deemed valid. The owner would need to get consent from a child's parent.

This amendment makes it clear for companies how consent works under the act. This is something about which there has been confusion. This legislation does make it clear so that they can adopt best practices.

If an organization is targeting a product or service at a particular segment of the population, such as children, then any attempt to obtain consent must be adjusted accordingly.

Again, Mr. Chair, the Marketing Research and Intelligence Association agrees with these changes, saying that it “fully supports the provisions in Bill S-4 which provide added clarity for organizations when they seek the valid consent of an individual”. Given the increased use of smartphones and tablets among young people, the stronger rules included in this bill will make sure that individual Canadians, especially children and adolescents, can fully understand the potential consequences of sharing their personal information.

The Digital Privacy Act further protects Canadians by setting out certain exceptions in which personal information can be shared when it is necessary to protect an individual from harm.

In certain situations, it is in the public interest to share an individual's personal information without their consent. For instance, the information could be shared for the purpose of reuniting parents with a sick or injured family member when they are otherwise unable to contact that family member.

Another example would be by allowing banks and financial institutions to share personal information with law enforcement or family members when they suspect cases of financial abuse, especially to protect against elder financial abuse. The Canadian Bankers Association has applauded the amendments contained in this bill that would allow banks and financial institutions to advise public guardians, law enforcement, or family members when they have evidence of financial abuse, particularly of elders.

Mr. Chair, I want to pause here to address one issue that was raised in question period when this bill was debated in Parliament before being referred to this committee. That's with respect to the Supreme Court of Canada's decision in the Spencer case. Some have suggested that PIPEDA, and the digital privacy act by extension, in some way may violate the Charter of Rights of Canadians and need to be changed.

This is patently false. PIPEDA does not create any search or seizure powers for law enforcement. It does not require companies to hand over information to law enforcement. It only allows private sector organizations to voluntarily provide information to law enforcement and government agencies when they have the legal authority to obtain it. This decision does not mean that PIPEDA or Bill S-4 is unconstitutional, and no changes to Bill S-4 are required in that regard.

Some privacy advocates, including the Privacy Commissioner, have called for greater transparency on the part of businesses with respect to how often and under what circumstances they provide information about their customers to police.

Openness, of course, is one of the key principles underscoring PIPEDA, and nothing in PIPEDA prevents Internet service providers or other companies from publishing such transparency reports. I'm pleased to see that over the past year a number of Canadian companies have done just that.

Lastly, under the Digital Privacy Act, the Privacy Commissioner will have new powers and tools to enforce the act.

The former interim Privacy Commissioner supported this legislation when she said that the digital privacy act “will strengthen the privacy rights of Canadians. We welcome proposals to introduce a mandatory breach notification regime and the compliance agreement provisions that will make it easier for our office to ensure that companies meet the commitments that they have made. We strongly support these provisions.”

I would point out as well that before we drafted this legislation and before it was presented to the Parliament of Canada, we consulted with the Privacy Commissioner's office to ensure that this legislation satisfied their concerns with regard to privacy and that we were taking all reasonable steps to ensure that concerns that had been raised in the past about this type of reform were recognized and considered in the drafting of this legislation. That's why I'm grateful for the Privacy Commissioner's support of this legislation.

Under the digital privacy act, the commissioner will now be able to negotiate voluntary compliance agreements with organizations to hold them accountable for their commitments to correct privacy problems. In addition, the Privacy Commissioner will now have one year instead of 45 days to potentially take organizations to court if they don't play by the rules. The digital privacy act will also give the commissioner more power to name and shame, or to make information public where organizations do not play by the rules. This change will make sure that Canadians are informed and aware of issues that affect their privacy. Organizations either comply with the law or they will face public scrutiny.

Our government is balancing the privacy needs of Canadians and the ability of businesses to legitimately access and use personal information in their day-to-day operations. The Canadian Marketing Association has expressed their support overall for this legislation when they said that it “supports the government's effort and this bill to update Canada's private-sector privacy law”.

The Canadian Bar Association said, “We express our support for the digital privacy act”.

As we move forward with the implementation of the act, I look forward to working with the Privacy Commissioner to provide all the necessary clear and practical guidance to help with full compliance. The digital privacy act, as I said, is a much needed update to Canada's private sector privacy law, particularly in our modern digital economy.

The bill gives Canadians the assurance that their information will be equally protected, no matter who they chose to do business with in Canada.

Thank you. I would be happy to answer any questions the committee members have.

I would certainly like to again thank committee members for their consideration of this legislation. As you know, it's Bill S-4, not C-4, and this legislation has already been adopted by the Senate. It received quite deep and thorough study on the Senate side. This was treated, I think, with a great deal of respect and the necessary intensity, and I was pleased that it was adopted by the Senate. I look forward to this committee giving it the scrutiny that it deserves.

Thank you.

Good morning, ladies and gentlemen.

Welcome to the 33rd meeting of the Standing Committee on Industry, Science and Technology.

We are beginning our study on Bill S-4, an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act.

Before us we have the Honourable James Moore, Minister of Industry.

I'll also go ahead and introduce the department officials, as well—Mr. John Knubley, deputy minister; Kelly Gillis, associate deputy minister; and Chris Padfield, director general, digital policy branch. I understand, Mr. Knubley, that in the second half you'll have opening remarks.

But for now we will begin.

Minister, if you would begin your opening remarks, and then we'll have our usual rounds of questions.

I would like to come back to Bill C-13 and Bill S-4.

If these two bills remain unchanged, are you afraid they will raise legal issues? Will it have any impact on your office? Will it make your work difficult?

Great. Thank you very much.

Many bills address privacy, including Bill C-13 and Bill S-4. Bill C-44 does not deal directly with privacy, but it expands the mandate of CSIS.

Are you concerned about the lack of parliamentary or civilian oversight related to expanding CSIS' mandate?

Thank you, Mr. Chair.

Mr. Therrien, I would like to thank you for your testimony. I would also like to welcome all my new committee colleagues, since this is the first time we are meeting.

In your speech, you said that there are a number of challenges when it comes to privacy. The digital world is constantly changing. The Supreme Court ruling in Spencer is a prime example. You have already underlined that adjustments should be made to the Canadian legislation, particularly with respect to Bill C-13 and Bill S-4.

Could you please provide more detail about your perspective on this matter and tell us what you think the government should do to reduce the ambiguities that followed from the Supreme Court ruling?

Mr. Speaker, I am pleased to rise today to speak to Bill C-622, proposed by my honourable colleague from Vancouver-Quadra. The bill, on a technical level, seeks to amend the National Defence Act to improve the transparency and accountability and provide for an independent review in respect of the operations of the Communications Security Establishment, and to enact an act to establish the intelligence and security committee of Parliament. It seeks to strike an important balance between national security, the privacy of Canadians, and parliamentary scrutiny.

There was justifiable concern earlier this year when Canadians learned that CSEC was monitoring Wi-Fi services at Canadian airports. In fact, there seems to be a bit of a preoccupation with privacy rights under this government.

If we go back to the Vic Toews bill, we all remember the e-snooping legislation, which fortunately did not see the light of day, but many of the provisions were then imported into a new piece of legislation and bundled with the rights of victims of cyberbullying in Bill C-13. The most recent example is the digital privacy bill, Bill S-4, which seeks to open the door a little wider, allowing the entities that can receive private information to walk through the door that had been opened by Bill C-13. The compromising of privacy rights in Canada has been a recurring theme under this government.

Mr. Speaker, before I get too far ahead of myself, please allow me to outline the role of CSEC for those following the debate and also for members of this place who may not be as familiar as necessary to adequately engage in the debate this evening.

CSEC, or Communications Security Establishment Canada, has a three-part mandate. First, it is responsible for the collection of foreign intelligence from the global information web. Second, it is the lead agency for cybersecurity for the federal government. Third, it can use its technological capacities and expertise to assist domestic law enforcement and intelligence agencies.

There is no argument that CSEC is a vital piece of Canada's national security puzzle. Additionally, CSEC functions within a global alliance known as the Five Eyes, an alliance of partner signals intelligence agencies within the United States, the United Kingdom, Australia, and New Zealand.

Following the 9/11 attacks in the United States, the mandate of CSEC was expanded. That was 13 years ago, and we are in a rapidly evolving world in terms of national security. It seems more than reasonable to assess the mandate, effectiveness, and accountability of CSEC and its activities.

My colleague, the hon. member for Malpeque, has been quite vocal about the need for parliamentary oversight. In his capacity as public safety critic, he has repeatedly pointed out the important fact that, although Canada functions within the Five Eyes alliance I just spoke about, it is the only country that does not have proactive parliamentary oversight.

In February of 2014, my hon. colleague from Malpeque asked a question that I think deserves an answer. I am not sure he has ever received a genuine or relevant answer, so I'll pose the question here again today. I am quoting from the member for Malpeque:

The key point here is that I really cannot understand the government's unwillingness to look at proper parliamentary oversight when two of its key cabinet ministers were in fact part of a report at one point in favour of such oversight.

We know that with this particular government, if an organization that depends on government funding comes out against the government, its funding will probably be cut.

The member went to great lengths explaining the Five Eyes and the other countries that are our allies in these issues. Where does the government get the idea that Canadians are less at risk of invasion of privacy and do not need proper parliamentary oversight, when all our allies do?

Mr. Speaker, that is exactly it. There are no warrants, and there is no oversight or transparency.

Canadians do not like people tinkering with their privacy. It makes no sense and, quite frankly, it is unacceptable. Bill S-4 is not designed to correct the existing deficiencies. The bill contains measures that would increase warrantless access to the information of telecommunications company subscribers, for example. That is shameful and it makes no sense. We have seen some cases of abuse recently in the news. Do we want Canada to go in that direction by letting anyone do anything with the personal information that defines our life? What would be our recourse as Canadian citizens if that were to happen?

Identity theft is a reality, and this information can circulate and be used. Even the government has lost information. At some point, we have to be aware of what we are doing. I think that in light of the fact that this is being done without a warrant, without oversight and without any kind of protection, Canadians have a reason to be concerned. That is why we are sounding the alarm.

Mr. Speaker, I congratulate my colleague on her excellent speech, which really highlighted the different problems with this bill.

I would like to hear her thoughts, because she said that the government could have taken advantage of the opportunity afforded by Bill S-4 to correct the flaws in the Personal Information Protection and Electronic Documents Act, known as PIPEDA, which allow for a parallel system in which government agencies can simply ask Internet service providers to provide information on customers, such as their IP address. I would like her to talk some more about that and explain why it is important to correct these flaws in order to put an end to that non-consensual parallel system that has no oversight and no transparency.

Mr. Speaker, I rise today to speak to Bill S-4, which amends Canada's privacy legislation. However, in its current form, Bill S-4 contains measures that will make it easier to access personal information without a warrant.

By proposing to refer this bill to a committee before second reading, the government has decided to take a new legislative route with this bill.

Indeed, the government motion aims to refer this bill to a committee before second reading. This motion will therefore allow members to examine Bill S-4 before second reading and propose amendments that will modify its scope.

We support the motion, because we hope that some of the serious concerns we have about this bill will be examined in committee. We are very concerned about the fact that one provision in Bill S-4 makes it easier for organizations to share personal information without a warrant or consent from the client, and without the appropriate oversight mechanisms in place.

In an article published in the spring 2014 journal of the Ligue des droits et libertés, Stéphane Leman-Langlois, the Canada Research Chair in Surveillance and the Social Construction of Risk at Laval University in Quebec City, gave a very clear explanation of the risks associated with industrial surveillance.

Here is what he had to say in that article:

We easily forget that every second of the day, a myriad of private entities are collecting a mountain of information on us, our habits, our behaviour, and our interactions with others...

A number of commercial entities have to collect basic information on their clients just to provide them with the service they require. A mobile phone could not work without continually indicating its location. The company also has to keep records, for billing purposes, on the calls received and made with the phone...

As you can imagine, this adds up, and after a while can represent massive amounts of data...

The information that metadata can provide about us is absolutely unbelievable. An ongoing experiment at Stanford University, with 500 volunteers willing to share their metadata, has shown that the researchers could determine financial records, health status, membership in the AA, whether the individual had an abortion or owned a gun, and many other things...

Just recently, the spotlight was on certain government intelligence agencies that were deeply involved in the widespread collection of information on Canadians. The agencies in question were specifically the RCMP, the Communications Security Establishment Canada, or CSEC, the Canadian Security Intelligence Service, or CSIS, and the National Security Agency, or the NSA, from the U.S.

Often...these agencies stop collecting or actively intercepting data and simply demand data that has already been gathered by companies...

All this may seem remote from our daily reality...but this activity has a perfectly tangible impact on our lives as ordinary citizens...

The picture being painted by Professor Leman-Langlois of Laval University, should make us realize the importance of the subject being debated today.

However, this is what this same professor and expert in security information had to say on the government's current position:

We can all agree that there is not very much privacy on the Internet, but still, there are some very weak protections in place. However, rather than strengthening privacy, which of course would be the best thing to do, the government is bombarding us with bills that will reduce those protections.

Although Bill S-4 proposes significant amendments to the Personal Information Protection and Electronic Documents Act, such as the obligation to report any breach of security safeguards involving personal information and increased powers for the Privacy Commissioner, the NDP is worried about the negative impact that some provisions of the bill will have on Canadians' privacy rights. The Conservatives have a very poor track record when it comes to protecting personal information, and Bill S-4 will not fix this troublesome past.

In just one year, government agencies secretly made over 1.2 million requests to telecommunications companies for personal information without a warrant or proper oversight. What is more, according to documents we obtained, the Canada Revenue Agency was responsible for more than 3,000 privacy breaches in less than a year. Last month, here in the House, I asked whether the government intended to follow the NDP's recommendation to set up a committee of independent experts to look at how the government uses and stores Canadians' communications data. However, as usual, the government had nothing to say. The Conservatives never gave me an answer to my question. The government should have taken advantage of the opportunity afforded by Bill S-4 to correct the flaws in PIPEDA that led to repeated violations of Canadians' privacy.

In 2012, the NDP introduced Bill C-475. This bill would have added online data protection standards to federal legislation that are similar to those in Quebec's personal information protection act. Quebec's data protection standards would have been applied to all federally registered organizations and to organizations with customers and users in Quebec. The Conservatives opposed our bill, and now they have introduced a watered-down version of the same bill.

The NDP believes that Canada needs to require mandatory reporting of the loss or breach of personal information based on objective criteria, as proposed in Bill C-475. The NDP also wants to remove the provisions from Bill S-4 that allow organizations to disclose personal information to other organizations without the consent of Canadians and without a warrant.

In order to truly protect Canadians' privacy, deterrents should be put in place to encourage or force private companies to abide by Canadian laws.

That is what the NDP is proposing, and we hope that the government will listen to us in committee, because that is what we are asking for. We think we need to get to the point, and that is why we are here. If this is not done properly, we would certainly need a committee of independent experts. As I said, I think the solution is there, but as we have seen too often, the Conservative government cuts corners and we end up with something like this.

I will now take questions.

Mr. Speaker, yet again, I listened with great interest to my Conservative colleague's speech.

I have a more specific question for him. I agree that a data breach notification requirement is essential. I even proposed a similar measure in my Bill C-475, which the member voted against.

In my model, I proposed an objective mechanism that would not make organizations themselves responsible for determining whether the data breach or leak was significant enough to notify the client concerned.

What Bill S-4 proposes is really subjective. It would have the organization make its own determination. Many lawyers, experts and academics have found this approach problematic. Does my colleague think that this approach is problematic?

Mr. Speaker, the legislation would provide the foundation on which the government would hold businesses to account on behalf of consumers.

It would establish new rules to protect privacy online and backs them up with more effective compliance and enforcement tools in order to strengthen the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA.

Under this bill, the Privacy Commissioner would be provided with a new set of tools that would help him or her perform oversight and ombudsman functions. At the same time, the courts would continue to enforce the law and could impose significant new penalties which have been added to encourage compliance with key requirements.

Through PIPEDA, the Privacy Commissioner has the responsibility for overseeing compliance with the act. He has the power to investigate, enter premises and compel evidence. He can mediate a settlement, make recommendations and publish the names of those who contravene PIPEDA. In short, the commissioner investigates complaints and works with companies to ensure they comply with the act, but enforcement action is left to the Federal Court. Indeed, the Privacy Commissioner and the Federal Court have worked together effectively to administer and enforce the rules set out in the act.

The commissioner or any other individuals can apply to the Federal Court for a hearing on any matter related to the original complaint. It is the court, not the commissioner, that has the authority to order the organization to change its practices. The Federal Court could also award damages to individuals when their privacy has been violated and they have suffered some form of harm as a result. Under the bill before us, both the courts and the Privacy Commissioner would be given new tools, but the responsibility for enforcement action would still remain with the court.

As has been mentioned, new offences and penalties would be created for three areas relating to the new data breach rules contained in this legislation. The courts can assess penalties for: deliberately failing to report a data breach to the commissioner, as prescribed by the act; deliberately failing to notify an individual of a data breach, as prescribed by the act; and deliberately failing to maintain or deliberately destroying data breach records, as prescribed by the act.

In keeping with existing offences under PIPEDA, these offences would be subject to a fine of up to $10,000 on summary conviction and up to $100,000 on indictment. I would point out to the House that the organization can be assessed a penalty for each and every individual it fails to notify. Given the large number of individuals who could potentially be affected by a data breach, this is a very serious penalty indeed.

At the same time, the bill would give the Privacy Commissioner the tools he or she needs to monitor the impact and efficacy of these new rules and serve as an ombudsman to help reduce the number of cases that go before the courts. The Privacy Commissioner would be given the authority to negotiate compliance agreements with organizations.

Let me give the House an example. Let us assume that following an investigation or audit, the commissioner determines that an organization should take certain corrective actions to remain compliant with the law. Under Bill S-4, the organization could agree to take these actions in exchange for the assurance that it would not be taken to court over the previous breach of the rules. However, the organization would also be legally accountable for any commitments made under the corrective action.

Compliance agreements are an effective mechanism for holding organizations accountable. They allow the Privacy Commissioner and organizations to avoid costly court action and provide flexibility to suit the particular circumstances that an organization finds itself in.

I would remind the House that compliance agreements are already being used by the Commissioner of the CRTC under the anti-spam legislation and the Minister of Health under the Consumer Product Safety Act.

By adding compliance agreements to the tool box of the Privacy Commissioner, we would strengthen consumer privacy protection without fundamentally changing the framework of PIPEDA or the role of the commissioner.

However, in order for this provision to work effectively, further changes to the regime are required. For example, under PIPEDA as it now stands, the commissioner has only 45 days after he or she reports the results of an investigation to make an application to the Federal Court to seek an order to take corrective action. Experience has shown that this is not enough time for the commissioner to work with companies to implement his recommendations and there is the risk that companies would simply stall in implementing the required changes until the 45-day period runs out.

On top of these challenges, 45 days is likely not enough time to negotiate and implement a compliance agreement. That is why the bill would increase the period of time to make an application to the court to one year from the time the commissioner reports the results of his or her investigation.

Finally, I would point out that the bill would give yet another tool to encourage compliance with the data breach provisions. It would give the commissioner the power to publicly disclose wrongdoing of an organization, if he or she considers it to be in the public interest to do so. Under the current act, the commissioner has limited provisions that involve the right to make public information concerning the personal information handling practices of the organization.

However, currently, he or she cannot publicly report when, for example, organizations fail to co-operate with an investigation or repeatedly stall implementation of the recommendations to fix privacy problems. Bill S-4 would broaden the types of information the commissioner could make public concerning non-compliant organizations. This is an important tool in encouraging compliance with the act.

As technology and the marketplace evolve, the commissioner and the courts need more effective tools to help hold organizations accountable for their handling of personal information, for the protection of Canadians and their privacy.

The bill before us addresses this need with four new tools. First, it would assign significant penalties for wilful disregard of the important new data breach notification requirements. Second, it would give the commissioner the authority to negotiate compliance agreements. Third, it would extend the length of time the commissioner or individuals have to bring matters before the court to one year. Fourth, it would give the commissioner greater authority to share more types of information about non-compliant organizations with the public.

I hope honourable members will join me in supporting these new tools for the courts and Privacy Commissioner by supporting Bill S-4.

Mr. Speaker, I listened with great interest to all of the Conservative members' speeches, but if memory serves and if I am in the right place on the agenda, we are debating a motion to refer Bill S-4 to committee before second reading. Every time a Conservative member rises, he says that he is talking about Bill S-4 and does not talk about the motion that we are supposed to be debating today. I understand that the two might be connected, but we are debating the motion and I think it is important to point that out.

Mr. Speaker, I am pleased to rise today in support of Bill S-4, the digital privacy act. Bill S-4 would provide a foundation on which the government would hold business—

Mr. Speaker, I am pleased to rise in the House today to support the motion to refer Bill S-4 to a committee before second reading.

Bill S-4 amends the Personal Information Protection and Electronic Documents Act. I will talk a little more about that, but first I want to take a moment to talk about the motion itself, which aims to send the bill to committee before second reading. This is somewhat strange; this is the first time the current government has done this in recent memory.

It is rather interesting and makes me wonder. Why this measure right now? Why did the government decide to do this, when there were other bills? Is it because the government has its doubts about Bill S-4 and wants to send it to committee, we hope, to solve the problems in the bill? That is what I am wondering.

Although we requested that some highly contested bills be sent to committee before second reading, such as Bill C-23 on election reform, Bill C-33 on first nations education and Bill C-3 on transporting oil along our coasts, the government refused. I have to wonder why it refused to do so and why it is now making the rather unusual—or at least uncommon, in recent history—move to send Bill S-4, a bill that comes not from the government, but from the Senate, to committee before second reading.

Procedure is not one of my strong suits, but there are experts here who can clear this up for us. I find it rather interesting that when we send a bill to committee before second reading, as this motion would do, the scope of the proposed amendments can be much broader. In other words, we could make more extensive amendments since the study in committee is not restricted by the principle of the bill, which has not yet been approved by the House. That is interesting. We can hope that Bill S-4 will be amended and that we will end up with a more polished product, if I can call it that, so that it will be more acceptable as we go into second reading.

Bill S-4 makes a pretty significant change to the Personal Information Protection and Electronic Documents Act. I took a look at this act, which received royal assent in April 2000. As members know, 14 years is an eternity in the digital world. A lot of things have happened in the past 14 years. This act was the result of an extensive consultation with a wide range of experts at all levels.

This work was accomplished through broad consultation in 2000. It is clear that since 2006, with this government, consultations are restricted to very specific groups. It is interesting to see that in 2000, there was a broad consultation that culminated with the Personal Information Protection and Electronic Documents Act. Here is what that legislation does:

An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act.

That is the legislation that is being amended now. Another interesting part of this law is schedule 1. Certain principles were set out in the legislation about to be amended, and they are particularly interesting because they were set out in the National Standard of Canada entitled Model Code for the Protection of Personal Information. The 10 principles are as follows: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

I went to the trouble of reading those principles. I found them very interesting and I urge all members to read them. Like it or not, as members, we receive personal and confidential information in our riding offices. That is why we too have a responsibility to respect these principles of personal information and electronic document protection.

Right now, we are talking about a motion to refer Bill S-4 to committee before second reading. I mentioned that this has not happened often in recent parliamentary history. In the time I have left, I would like to take a quick look at what Bill S-4 will change.

This bill will make major changes to to the Personal Information Protection and Electronic Documents Act, which I just mentioned, by allowing personal information to be shared without the knowledge of the person concerned or without their consent under some circumstances. To me, that is a questionable way of protecting personal information. Companies would be allowed to share personal information under certain conditions.

As I read the bill, I really thought that there needed to be a better explanation of these conditions and some examples. For example, in a business transaction, when should personal information be shared without clients' consent?

Some aspects of the bill are positive, such as requiring organizations to take various measures when a data breach occurs. Even the current government has some transparency problems in this regard. The third aspect seeks to create offences in relation to the contravention of certain obligations respecting breaches of security safeguards. The fourth aspect would allow the the Privacy Commissioner, in certain circumstances, to enter into a compliance agreement with an organization.

Those are the four main aspects of Bill S-4 that raise concerns. Other aspects of the bill are positive and constitute a step in the right direction. That is why I support the motion to send Bill S-4 to committee to resolve the problems it contains that could result in a breach of privacy.