Bill S-4 (Historical)

It being 6:30 p.m., pursuant to an order made earlier today, all questions necessary to dispose of the motion for third reading of Bill S-4 are deemed put and the recorded division is deemed to have been demanded and deferred until Thursday, June 18, at the expiry of the time provided for oral questions.

The hon. Parliamentary Secretary to the Minister of Public Works and Government Services.

Mr. Speaker, unfortunately, as lawmakers we know from experience that there will always be those who will break the rules. That is why Bill S-4 would make important improvements to PIPEDA's compliance framework. These changes would ensure the commissioner has the necessary tools to ensure organizations respect the law and protect the privacy of Canadians.

The digital privacy act would set out serious consequences for any organization that deliberately ignores its data breach obligations and intentionally attempts to cover up a data breach. Bill S-4 would make it an offence for any organization to deliberately fail to notify individuals, report to the commissioner, or keep the necessary records.

In these cases of deliberate wrongdoing, an organization could face fines of up to $100,000 per offence. I want to ensure this point is very clear. It would be a separate offence for every single person and organization that is deliberately not notified of a potentially harmful data breach, and each offence would be subject to a maximum $100,000 fine.

These changes are widely supported by stakeholders, as evidenced by witness testimony during the committee's review of the bill. Professor Michael Geist stated:

These disclosure requirements are long overdue as I think it creates incentives for organizations to better protect their information and allows Canadians to take action to avoid risks such as identity theft. There are aspects in this bill that are an improvement over the prior bills, Bill C-12 and Bill C-29, most notably the inclusion of actual penalties that are essential to create the necessary incentive for compliance.

At committee, the Canadian Internet Policy and Public Interest Clinic stated:

We're very grateful to see a penalty regime for instances where the breach notification obligations are knowingly ignored...The fines currently in PIPEDA are designed as penalties for very overt offences.

The list continues. The Canadian Bankers Association stated:

We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

The Canadian Life and Health Insurance Association Inc. was also supportive. It stated that the bill takes a balanced approach to the responsibilities placed on business and organizations, but most importantly, it will protect the consumer of those businesses, and gives individuals the information they need to take corrective action when it is necessary.

The digital privacy act does indeed take a balanced approach, one that avoids the over-reporting of harmless incidents while ensuring that the commissioner has the necessary tools to oversee whether organizations are meeting their obligations under Bill S-4.

This balanced approach would also ensure that punishment is reserved for the most egregious offenders, those who knowingly and deliberately try to circumvent the law. Those organizations caught making a mistake in good faith would instead work with the Privacy Commissioner under the existing dispute resolution tools in the act.

Our government recognizes that many organizations already notify individuals of data breaches in a responsible manner.

Let me be very clear. The penalties in the digital privacy act would target the bad apples, those organizations that willfully and knowingly disregard their obligations or, worse, cover up a breach.

The digital privacy act would encourage all organizations to play by the same rules. It would provide incentives to comply with the new data breach obligations, and also to implement appropriate data security practices to prevent breaches from happening in the first place.

By requiring organizations to keep records of their data breaches and by enforcing the requirements with stiff penalties, these amendments would increase the accountability of organizations to maintain good privacy practices and would provide the Privacy Commissioner with the tools he needs to enforce these protections.

I urge hon. members to join with me in supporting the bill.

Mr. Speaker, I will be sharing my time with the member for Kelowna—Lake Country. I appreciate the timeline on this.

I am pleased to rise in my place today to speak to Bill S-4, the digital privacy act, which would make a number of important changes to strengthen Canada's private sector privacy law, the Personal Information Protection and Electronics Documents Act, or what is more commonly known as PIPEDA.

Data breaches are very concerning to Canadians. In fact, a recent survey conducted by the Office of the Privacy Commissioner in 2014 found that news of data breaches among several large retailers had made 80% of Canadians more reluctant to share their personal information with businesses. This is simply unacceptable. Canadians needs to know that when they choose to share their personal information with a business, it will be protected and kept confidential.

The proposals in Bill S-4 will amend PIPEDA to significantly strengthen the current law and ensure that the privacy of Canadians will be protected when it comes to the rules that companies must abide by when they collect, use or disclose personal information in the course of commercial activities. In the current legislation, there is no legal obligation for businesses and organizations to tell customers and clients when their personal information has been lost or stolen.

The digital privacy act would correct this by making important changes to PIPEDA and implement new data breach requirements for businesses. These changes would ensure that organizations would be taking appropriate steps to notify Canadians. The requirement for mandatory notification is welcome by many stakeholders, in particular the Privacy Commissioner of Canada. In his recent annual report to Parliament on PIPEDA, he stated:

—we welcome the proposed amendment to PIPEDA in Bill S-4, the Digital Privacy Act, which seeks to implement mandatory breach notification.

He went on to say:

Mandatory notification will also provide a clearer picture of the frequency and type of data breaches experienced by organizations.

Mandatory notification would better inform Canadians of situations in which their personal information has been compromised. It would also enable Canada to keep pace with other jurisdictions where similar measures have been enacted or are being considered.

As we have discussed many times, strong rules are meaningless if they are not backed up with strong compliance tools. Bill S-4 would give the Privacy Commissioner of Canada the necessary tools to hold companies accountable when it comes to the protection of the personal information of Canadians.

In addition to the notification provisions, Bill S-4 would also require organizations to keep a record of the event, regardless of whether a breach posed a risk of harm. These records would not only allow organizations to demonstrate due diligence in the risk assessment, but would also require companies to keep track of when their data security safeguards fail so they could determine whether they have a systemic problem that would need to be corrected. What is more, organizations will be required to provide these records to the commissioner upon request at any time.

This record-keeping requirement will give the Privacy Commissioner the appropriate tools to hold organizations accountable for their obligation to report serious data breaches. Once again, I would like to quote the Privacy Commissioner's 2014 annual report, where he stated:

—requiring organizations to keep and maintain a record of breaches, and provide us with such information upon request would be an important accountability mechanism. Our Office would be able to evaluate compliance with the notification provisions and assess how organizations are deciding whether—

Mr. Speaker, it is an honour to speak to Bill S-4, legislation which amends the Personal Information Protection and Electronic Documents Act.

As our lives are more and more immersed in a digital world, our understanding of digital privacy changes and our means of protecting digital privacy also needs to be updated. We use the Internet in so many ways. Our digital identity is now more a part of our identity when it comes to banking and commerce, our tax returns, government services, and our interactions with other people in society. Those are examples of how our identity is becoming more digital. In a world where crimes involving data theft, identity fraud and online stalking are on the rise, and we are becoming more worried about those, it is crucial to protect data to protect our identity.

Data is not simply information. In fact, as my colleague from Victoria very elegantly gave some examples, it is power. It is a doorway into the private lives of many. It is commercial power. The Liberal Party is deeply concerned that the government's commitment to safeguarding the personal information and privacy of Canadians is less than absolute.

Let me give another example which is not quite related to Bill S-4 but I think is important to mention just for the record. Members might know that since the elimination of the long form census, the government has been looking at linking different so-called administrative data sources in different parts of the government in order to reduce the burden of filling out the census. Indeed, some European countries do not have a census. They have deep links between different pieces of administrative data, and people have to report where they live every time they move. The Privacy Commissioner, whose testimony on Bill S-4 at committee was also quite important, has warned Canadians that we should be very wary of simply moving over to this European system, that there are serious privacy considerations which Canadians should look at and agree with before the government proceeds in that direction.

More and more, all of this information is becoming digital. As an example, although I think this is perhaps not the point at which we should be too concerned, in the 2016 census, the government is planning to automatically use income and benefit information from the Canada Revenue Agency. It can do this because everything is digitized. That information would be automatically tacked onto census information and any voluntary replies that Canadians provide to the national household survey, unless of course the election result in October is such that we do not have to go through that. I just wanted to bring that up for the record.

What I would like to talk about most is the process that happened at committee. We are at third reading now. We are trying to decide whether this is the best possible bill that this Parliament could pass.

Unfortunately, there are definitely concerns about whether the approach in Bill S-4 is too broad and whether there are unintended consequences. I will not go too deeply into them. In fact, my friend, the member for Victoria, has done a much better job than I ever could. Suffice it to say that Bill S-4 identifies situations where personal information can be disclosed without the knowledge or consent of an individual. It permits federal works, undertakings and businesses to collect, use and disclose personal information, without the knowledge or consent of an individual, to establish, manage or terminate their employment relationships with the individual. It permits organizations, for certain purposes, to use and disclose, without the knowledge or consent of an individual, personal information related to prospective or completed business transactions. Therefore, there is a danger, we believe, that Bill S-4 is too broad.

The problem is that at committee stage, there really was not sufficient examination of these details. There were 42 amendments proposed by the opposition parties. There was not substantive debate at committee. There were no explanations for why the government members opposed amendments that were based on the testimony of expert witnesses, such as the Canadian Bar Association, the Privacy Commissioner and the Insurance Bureau of Canada. There were 42 opposition amendments, all of them defeated rather quickly without a defence of that vote by the government side.

It has been brought up in debate by previous speakers about how committees have worked in this Parliament and how they could be changed in the next Parliament. I really do believe that a couple of simple steps would be a good start to reforming the committee system.

The first one would be to allow committee chairs to be chosen by a secret ballot in this House, just as the Speaker is chosen. My first encounter with this idea was in fact a motion from a Conservative backbencher, the member for Saskatoon—Humboldt. That would be a good measure to ensure that committee chairs are as independent as possible not only from the government, but from their own party leadership. That would be a step toward what we need to make committees really fulfill their role in Parliament, which is ultimately the role that all of us have, which is to hold the government to account.

The second thing which I think would be very useful in committee, and this reverts to past practice in this House, would be to forbid parliamentary secretaries and ministers from sitting as voting members of committees. That would be a good way to protect the independence of committees for the purpose of committees being able to do a better job of holding the government to account.

I believe that if committees had been working better, we would have at least had on the record somewhere the reasons for rejecting the 42 opposition amendments to Bill S-4. In fact, I also believe that if we really had independent committees, some of these amendments would have been adopted, and even in this majority Conservative Parliament, with those amendments we would have passed a better bill than it looks like we might be passing, given the majority on the Conservative side.

By way of conclusion, I just want to say that without a genuine, collaborative, detailed committee study, I believe that the committee has not held the government to account with regard to Bill S-4. Expert testimony has not been properly either taken into account or discounted with some evidence or some cogent argument. We have in Bill S-4 a bill in which there are potentially overly broad provisions and good reason in fact to believe there are overly broad provisions and unintended questions. That is why I will be voting against the bill at third reading.

Mr. Speaker, my colleague really put his finger on the problem, which is rather widespread and applies to other bills besides the one before us today.

For instance, following public pressure, the government unfortunately had to withdraw Bill C-30 from the order paper. However, there was also Bill C-51 and Bill C-13 on cybercrime. Now we are talking about Bill S-4, which completely destroys Canada's privacy protection regime. It waters down the criteria for obtaining warrants and, in some cases, even allows authorities to access the personal information of Canadians without a warrant.

I wonder whether the member could tell us just how troubled he is that this government says here in the House and elsewhere that it wants to protect Canadians, and yet it introduces a number of bills, like Bill C-51, Bill C-13 and Bill S-4, that put Canadians' privacy at risk.

Mr. Speaker, it is a pleasure to rise and speak to Bill S-4, which would amend the Personal Information Protection and Electronic Documents Act, called PIPEDA. The bill has the rather misleading title of the digital privacy act.

I will be speaking against this bill for a number of reasons that have been articulated very well in past debates by the member for Terrebonne—Blainville, our digital issues critic. She has brought in a bill of her own. The government took parts of it and did not go as far as it needed to, to actually protect the digital privacy of Canadians.

I would like to, first, talk about why this is such an important bill. Second, I will talk about the history of getting it here. Last, I will talk about some of the critical problems with this bill and propose an amendment at the end of my remarks.

E-commerce is the backbone of the modern Canadian economy and it is only going to be more important going forward. Think of our children and their use of digital material.

My colleague, the member for Toronto—Danforth, made some comments about e-commerce and why this bill, which underscores legal protections for privacy and e-commerce, is so important. He said that the world's largest taxi company has no cars. It is the largest taxi company because it has personal information. It is called Uber.

The world's largest accommodations company, Airbnb, owns no property, but it is the richest and largest company because it owns personal information. The world's largest retailer has absolutely no inventory. He was referring to Alibaba in China.

As we move to what my colleague called the Internet of Things, by 2020, we will have 26 billion devices connected to the Internet. I hope that people appreciate that we are moving into an economy where we need to know the rules of the game and we need to know that our personal privacy in the private sector is protected. Business wants that certainty and consumers demand that what is left of their privacy be treated fairly by those private sector organizations that hold their information.

Canada is really in a unique position on the planet. We are halfway between the European Union, which has a very aggressive data protection regime, and the United States, which has sectoral legislation but not a comprehensive private sector law like PIPEDA, the bill that is before us in its amended form.

I say that we are halfway between those two regimes because, under PIPEDA, Canada has managed to create what is called a substantially similar regime to the European Union. That means that e-commerce companies in England, Ireland, France, and the 28 other countries that make up the EU can confidently share their personal information with Canadians because they know that they will have substantially similar protection. Canada achieved that. The United States does not have anything like that, so companies like Google and Facebook will often use Canada as a launching pad.

If we can make privacy protection sufficient in Canada, it will likely be sufficient for Europeans, who have had the most stringent requirements of privacy on the planet. It is important that we get this right.

It is amazing and very timely that we are having this debate at this time because on Monday of this week a clear signal was given by the Council of Ministers in the European Union that it is going to go for a regulation soon, not the directive that has been enforced for some time. After two years, all 28 countries will have to come up with an even more stringent regime.

That is why this bill is so problematic. It would not help small business, as I will describe, and it certainly would not give consumers the protection that the courts say that they are entitled to. I refer to the case of Spencer in 2014, where warrantless searches were said to be not on for Canadians, yet they seem to be just fine in this bill, which is odd. We need it get it right from a commercial point of view, as well.

I am indebted to Professor Michael Geist, who testified before the industry committee and the Senate, and who is so prolific and thoughtful in his analysis of private sector privacy legislation and other privacy regimes. He talks about how it is has taken us eight to nine years to get to this state.

I wanted to talk about this because the government's ineptitude in helping the e-commerce industry that I talked about and protecting the privacy of Canadians is on full display in the history of this bill.

The Conservatives tell us that it is urgent, that we must get on with it. Well, that is because they have dropped the ball, as I will describe in many ways. It has taken eight or nine years to get to this situation.

The Conservatives left an earlier version of a privacy bill sitting for two years in the House of Commons with no movement whatsoever and then it died at prorogation. How did that happen? In November 2006, the Standing Committee on Access to Information, Privacy and Ethics undertook its hearings on this reform. That was one year later than the five-year review process required by the act.

Just to back up, PIPEDA, the bill before us that is being amended, requires parliamentarians to review it after five years. They could not even get that deadline together.

In 2007, there was a report recommending certain things be done. Nothing seemed to happen. First reading was in 2010 for Bill C-29, the first PIPEDA reform. Second reading of the bill was in October. In September 2011 there was the first reading of Bill C-12, the second attempt to reform PIPEDA. That never got past second reading. It died when the government prorogued. Then another bill, this Bill S-4 was introduced in April 2014. This was the third try. Three strikes are lucky, I guess.

Here we are before Parliament with a bill that when it was in committee, the government said solemnly that it was urgent that we get on with it because it did not want to take a chance on any further delays and amendments. It is laughable the way the government treats the backbone of e-commerce, this privacy legislation. It has taken eight or nine years to get to where we are tonight. In the dying days of Parliament we are debating the legislation. It shows how important this must be to the government of the day.

In my riding, where we have a thriving e-commerce industry, with start-ups trying to develop apps and so forth, the bill is important and the government treats it with a history of neglect, which is the best way I can put the ineptitude I have described.

It is critical for small businesses, as I will describe, because they just do not have the wherewithal of large business to comply with some of the provisions of the legislation. I will come to that in a moment.

What does the bill do? Some of the things it does right is that it has finally agreed with endless Privacy Commissioner recommendations that there ought to be mandatory breach disclosure. If there has been a breach of data by a company, where it is sent to the wrong place and suddenly my personal information is found in the back of a taxi cab on a data stick, someone has to be told about it. That is pretty simple and obviously long overdue. That is a good thing to have in the bill.

Second, there are increased enforcement powers for the Privacy Commissioner, including the notion of compliance agreements that companies would enter into. This is a long-standing consumer protection approach that has now found its way into the bill.

According to experts, such as Mr. Lawford, testifying on behalf of the Public Interest Advocacy Centre, it would likely result in fewer reported breaches because it leaves the determination of whether a breach causes a real risk of significant harm entirely in the hands of the private sector companies.

Do the words “conflict of interest” seem to come up? They do and that obvious conflict of interest is fatal to the purpose of the bill. Why is a company going to want to blow the whistle on itself? It seems a bit odd and others have suggested, as has my colleague from Terrebonne—Blainville, in her Bill C-475, that it ought to be for the Privacy Commissioner, an independent officer of Parliament, to pass on that, not the industries themselves. That was the subject of much criticism in the industry committee, which studied Bill S-4.

That gives me a chance to talk about the attempt by the opposition to actually get meaningful debate in the industry committee. Since I got here, probably the most disappointing thing I have found is the government's utter indifference to any amendments unless they come from its side of the aisle.

There is an effort to have a real dialogue and to improve this and come up with a kind of unanimous support for something which is technical in nature, but the government said no to every single amendment, which, of course, in my experience is the way it does it every single time. I have been on two committees and I have not seen one amendment passed that anybody but the government proposes.

Trying to co-operate with the government to do something which is at the backbone of the new economy and it will not even talk to us. Apparently, that is how the government wants to do business. Fortunately, like so many Canadians, I hope that these are the dying days of a government with such arrogance and indifference to what Canadians want.

The efforts to try to fix this bill fell on deaf ears. My colleague, the digital critic from Terrebonne—Blainville, proposed that the Privacy Commissioner be the one who determined whether a data breach was significant enough to report, which makes sense, as opposed to the fox in the henhouse, where a company has to decided whether it is big or little.

That is not for banks to decide, whether they weigh their reputational risk that they might have versus consumers' rights. I know who could do that, an officer of Parliament. That would be the right person to do that. That is what my colleague suggested. The Conservatives propose putting the burden on companies.

Here is the problem with that, and not only the obvious conflict of interest but there are large companies, think banks, telecoms, companies of that size, that have departments that are responsible for privacy protection. More and more companies have what is called chief privacy officers to regulate this very technical area of the law.

They do a good job sometimes, but they often have this penchant that they obviously feel when they are trying to protect privacy, which is their job description, and not make a career-limiting move when information that is disclosed could cause harm, and the company would be angry with them and shoot the messenger. I have talked to CPOs in companies that tell me that the conflict is alive and well and I can understand that.

Small companies do not have these chief privacy officers, for example, to determine whether there is a significant breach or a significant risk of harm. They have no idea what to do. They want to co-operate, but they do not have the personnel or expertise to do it.

My colleague reasonably suggested that we give them a little help by letting them have access to the Privacy Commissioner's expertise and resources. Is that not a common sense provision? Is that not one that would help those small start-ups in the e-commerce industry that would really like the opportunity to do the right thing but do not have the budget to do it?

The economy in my community, the largest sector now, is not tourism or hospitality, it is high tech. The people who are producing the largest contribution to the Victoria economy are people who are just in this situation, wanting to understand the rules of the game in the new e-commerce, looking to the government to give them clarity, make it easy for them to do the right thing, so they can compete internationally, as they are doing so effectively, and to be onside with the European Union's incredibly stringent rules.

Guess what? They do not have a CPO, paid $150,000 a year or whatever, like the large banks would. The government has done nothing to assist them and they are angry about it. They do not understand why this so-called business-friendly government simply does not get it.

Some 18 amendments were proposed by the NDP and 18 amendments declined by the government of the day. We tried to work it out, but the government just wanted to jam it through. To add insult to injury, for the 97th time it used time allocation on a bill of a technical nature like this. I think the government is over 100 times now.

In the history of Parliament, has there ever been a government that has done this more often? I certainly do not know. I want to study it. I have a student looking at this because the arrogance and the anti-democratic behaviour of the government has to be exposed. The 97th time was for a bill on digital privacy. It is shocking and shameful that we are in this world today with this government.

The Supreme Court has told us that warrantless searches are wrong. They are unconstitutional. My colleague from Toronto—Danforth said we should send it to the court for a constitutional reference. We cannot have yet another loss in the Supreme Court. How many would that be? I have lost count. It is six or seven. How about having a reference to the Supreme Court of Canada?

The leader of the opposition asked for that today with respect to Bill C-51. The government, of course, would never do that. It just wants to go lose again in the Supreme Court.

The Spencer case in 2014 established that warrantless searches are a bad thing. How can the government then put these searches into Bill S-4, the bill before us, and pretend it is going to be constitutional? It is great work for lawyers. I have many friends who welcome the government's position because it is a make-work project for constitutional lawyers, but is it helping the Canadian taxpayers? Is it helping the e-commerce businesses, those little businesses from coast to coast that are struggling in this international economy? Do they have the clarity they need to go forward? Why do we have to waste our time with yet another Supreme Court loss by the government? It makes no sense.

Could the government have co-operated a little with people of good faith who wanted to make it better and solve this problem, as New Democrats tried to do in committee? One would think the government would welcome that, but it simply said no.

My next point is kind of a technical thing, but I want to raise it. We talked about breach notification, and I want to give an idea of how complicated this is for the little mom-and-pop or individual family businesses that are now arising in the economy. Clause 10, which would add section 10.1 to PIPEDA, talks about the kind of notification that is required when there is a breach. I want to give an idea of how complicated this can be and how lack of clarity means something.

Proposed subsection 10.1(5) says, “The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.”

Three times the word “prescribed” is mentioned, which means it will be prescribed by regulation to follow later. There would be regulations that would define the kinds of things that would have to be done to give notification of a breach. However, as an example, let us take a small business that is trying to do the right thing. When there is a breach, it wants to notify people immediately. What is it going to do? Until there are regulations, it is utterly meaningless.

I know the government will bring in regulations eventually. That is a good thing, and I am sure companies are looking forward to seeing them, but as they plan ahead in this incredibly dynamic sector, they do not have a clue, and neither do we. None of us can say what those prescribed requirements are, because “prescribed” means to follow later in regulations, regulations nowhere to be found. People will have to try to figure that out. People sitting in a little start-up in Victoria or St. John's or Toronto or Montreal will have to try understand how to work their way through this difficult bill.

It is a history of neglect. It is a history of failure to listen to the opposition, which wanted to work together to create this regime. It has a history of eight or nine years in coming to the dying days of Parliament, but we should not worry, because it is urgent now, according to the Minister of Industry.

New Democrats do not believe it.

Therefore, I move:

That the motion be amended by deleting all the words after the word “That” and substituting the following:

“this House decline to give third reading to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, because it:

a) threatens the privacy protections of Canadians by allowing for the voluntary disclosure of their personal information among organizations without the knowledge or consent of the individuals affected;

b) fails to eliminate loopholes in privacy law that allow the backdoor sharing of personal information between Internet service providers and government agencies;

c) fails to put in place a supervision mechanism to ensure that voluntary disclosures are made only in extreme circumstances;

d) does not give the Privacy Commissioner of Canada adequate order-making powers to enforce compliance with privacy law; and

e) proposes a mandatory data-breach reporting mechanism that will likely result in under-reporting of breaches.”

Mr. Speaker, I would like to ask my colleague across the way another question about Bill S-4.

According to some experts, many parts of Bill S-4 are unconstitutional. Why, then, will the government not simply take out the parts that are unconstitutional, especially in light of the Spencer ruling?

I would like my colleague to comment on that.

Mr. Speaker, when we look at the process of Bill S-4, is it any wonder that Canadians look at Ottawa and come to the determination that Parliament is broken? There is a need for real change, and the Liberal Party of Canada will be advocating for that.

Let us look at this bill. We have legislation before us that has some serious flaws. We had the opportunity in committee stage to make some changes with amendments. The majority government, over the years, has made the determination that it does not matter what kind of amendment it is if it comes from the opposition benches. It is an automatic default that amendments are bad unless they are Conservative amendments.

Will the member not recognize that this bill is faulty in the sense that the many amendments that were brought forward, whether from the Liberal Party or other opposition members, did have some merit to them? Would he not acknowledge that fact?

Mr. Speaker, it is truly a pleasure for me to ask my colleague opposite a question on behalf of my constituents from Alfred-Pellan in Laval.

In the bills that the Conservatives introduce, the devil is often in the details. When examining the proposals set out in Bill S-4, I had some concerns that I would like to raise.

One of those concerns in particular reminds me of the nightmare of Bill C-51 and its lack of a proper oversight mechanism. Bill S-4 presents the same type of problem. It would allow greater access to personal information without a warrant and without provisions for an oversight mechanism.

In fact, I am wondering why the Conservative government is working so hard to allow snooping without a warrant and why it is creating bigger holes with bills such as Bill S-4.

Mr. Speaker, I want to thank my colleague for his description of the balanced approach we have taken, in contradiction to the NDP's heavy-handed approach. I would like him to comment on how Bill S-4 would amend PIPEDA to reduce red tape for normal business activities.

Mr. Speaker, I heard my colleague mention amendments. However, the Conservatives rejected one of our critical amendments that was supported by many witnesses. That is rather problematic. We wanted to work with the Conservatives, but as usual, they turned a deaf ear in committee and refused to work as a team.

Why did they once again refuse to accept our amendments, which would have corrected and improved the bill so that we could better protect Canadians? As it now stands, Bill S-4 is still quite flawed. For example, it leaves it up to the companies to enforce the regulations, which is unacceptable.

I would therefore like my colleague to explain why the Conservatives rejected our amendments.

Mr. Speaker, I am pleased to rise in my place today to speak to Bill S-4, the digital privacy act.

Last year our government launched digital Canada 150, an ambitious plan for Canadians to take advantage of the opportunities of this digital age. It is a broad-based ambitious plan to take full advantage of the digital economy as we celebrate our 150th anniversary in 2017. It is the next step to build our nation and to connect Canadians to each other. As the digital economy grows, individual Canadians must have confidence that their personal information will be protected. That is why under digital Canada 150, one of the five pillars is known as “protecting Canadians”.

The digital privacy act would provide important and long awaited updates to our private sector privacy law, the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA. PIPEDA provides a legal framework for how personal information must be handled in the context of commercial activities while also setting guidelines for the collection, use and disclosure of personal information.

These rules are based on a set of principles developed jointly by government, industry groups and consumer representatives. The digital privacy act would strengthen marketplace rules set out by PIPEDA in important ways. In addition to protecting and empowering consumers, the amendments would clarify rules for businesses and reduce red tape.

These guidelines would ensure that vital information is available to Canadian businesses so that they have the necessary tools to thrive in a global economy. Balancing individual expectations for privacy and the need for businesses to access and use personal information in their day-to-day operations is important. Bill S-4 gets this right. It assures individuals that no matter the transaction, their personal information will continue to be protected under Canadian law.

The need to update the rules for online privacy continues to grow. Breaches of personal information held by retail giants like Target and Home Depot, where the credit card information of millions of Canadians was stolen, underscore the need to strengthen PIPEDA with mandatory breach requirements. The bill before us does exactly this by establishing new requirements for organizations to inform Canadians when their personal information has been lost or stolen and there is a risk of harm. The Privacy Commissioner will also be notified.

An organization that deliberately covers up a data breach or intentionally fails to notify individuals and report to the commissioner could face significant fines as a result.

Let me now take a minute to point out some of the ways in which the bill before us creates an effective streamlined regime for reporting data breaches. The digital privacy act establishes a clear and straightforward test that businesses must apply to determine whether or not they are required to report a breach.

If a business determines that the data breach creates a significant risk of harm to a customer or client, then it must report this information both to the individual affected and the Privacy Commissioner.

If the organization determines that the data breach does not pose a risk of significant harm, that is, its data security safeguards were compromised but it avoided a situation where the customers are exposed to a threat, like identity theft, fraud or humiliation, then that organization must keep a record of that breach.

The requirement to maintain these records, even if the breach is determined not to be serious at the time, serves two purposes. First and most important, it requires companies to keep track of when their data security safeguards failed, so that they can determine whether or not they have a systemic problem that needs to be corrected.

An initial breach may not be serious because the information lost is not particularly sensitive. The next time, however, the company and the individual affected may not be so lucky. Keeping track of these breaches will help companies identify potential problems before individual privacy is seriously harmed.

Second, these records provide a mechanism for the Privacy Commissioner to hold organizations accountable for their obligations to report serious data breaches. At any time, the Privacy Commissioner may request companies to provide these records which will allow the commissioner to make sure that organizations are following the rules.

If companies choose to deliberately ignore these rules, the consequences as set out under the digital privacy act are serious. Bill S-4 would make it an offence to deliberately cover up a data breach or intentionally fail to notify individuals and report it to the commissioner.

In these cases, organizations could face a fine of up to $100,000 for every individual they fail to notify. These penalties represent one way that the digital privacy act would safeguard the personal information of Canadians.

The Privacy Commissioner of Canada strongly supports the proposed data breach rules in Bill S-4. He told the standing committee:

I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill. Proposals such as the breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians....

Similarly, the Canadian Bankers Association voiced its support for these amendments, telling the committee:

The banking industry supports the requirements in the digital privacy act for organizations to notify individuals about a breach of their personal information where there is a risk of significant harm. We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

I have been discussing the data breach rules which are a very important element of the bill before us. I would like now to turn my attention to four ways that Bill S-4 would strengthen Canada's privacy rules.

First, the bill establishes strong consent requirements to protect vulnerable individuals online, particularly children. These enhanced consent provisions were introduced as a result of recommendations made by Parliament during the first statutory review of PIPEDA.

Under PIPEDA, organizations need to obtain an individual's consent to collect, use, or disclose their personal information. Under the bill before us, an individual's consent would not be considered valid unless the way the information will be used is clearly communicated in language appropriate to the target audience.

For example, some businesses operate online playgrounds or educational websites that target children and collect personal information of children that is used for marketing and other purposes. Bill S-4 requires that the language used to obtain consent must be such that a child could reasonably be expected to understand the nature, purpose and consequence of sharing his or her personal information. If the consent request is too complicated for the child to understand, the consent would not be valid.

Again, the Privacy Commissioner of Canada supports this amendment. He told the committee:

I think it would be useful to further clarify that consent is to be evaluated from the perspective of the person whose consent is invoked. Organizations would be asked to put themselves in the shoes of various clientele from whom they are collecting information so that consent is as meaningful as possible.

Second, Bill S-4 seeks to harmonize federal laws with provincial privacy protection laws when it comes to a sharing of personal information without consent in narrow, limited circumstances.

PIPEDA already provides for a number of circumstances where personal information can be shared without consent when it is clearly in the public interest to do so. The amendments in Bill S-4 would add to this by allowing information to be shared in order to protect seniors and other vulnerable individuals from financial abuse or neglect, communicate with the family of an injured or deceased individual, or identify a victim of an accident or a natural disaster.

In his testimony before the standing committee, Mr. Marc-André Pigeon, director of financial sector policy at Credit Union Central of Canada expressed his strong support for Bill S-4 and the financial abuse amendment. He said:

In general, we think Bill S-4 does a lot of things right. We are especially pleased with the provisions that would make it easier for credit unions to share personal information with the next of kin or authorized representatives when the credit union has reasonable grounds to suspect that the individual may be a victim of financial abuse.

The third way that Bill S-4 would strengthen PIPEDA would be through changes that would support day-to-day business operations. The digital privacy act would remove unnecessary red tape for businesses by allowing for the collection, use and disclosure of personal information without consent in the context of specific legitimate business activities. For example, Bill S-4 would allow information to be more readily available in order to conduct due diligence in the context of mergers and acquisitions.

Similarly, the digital privacy act would allow businesses to share any type of business contact information in order to carry out normal business activities. It is simply ridiculous that PIPEDA allows an employee to share an office phone or fax number, but not an email address. Bill S-4 would fix this problem, a solution supported by the Retail Council of Canada. It told the committee:

—we support the clarification on the exclusion of business contact information...This section 4 clarification will better equip businesses to conduct their ongoing operations.

Finally, the digital privacy act would make existing compliance tools stronger and more effective. PIPEDA is enforced by the Privacy Commissioner of Canada who can turn to the Federal Court when an organization is found to break the rules. Bill S-4 would also give Canadians the option of taking an organization to Federal Court to order an organization to change its practices or to seek damages.

While the digital privacy act would keep those options open, it would also provide an alternative to court action such as voluntary compliance agreements. Under a compliance agreement, organizations would voluntarily commit to take action to comply with the law to avoid costly legal action. The agreements would be legally binding and would allow the commissioner to hold organizations accountable to follow through on their commitments to private privacy protection.

Again, the Privacy Commissioner expressed his strong support for this tool when he appeared before the standing committee. He said that the compliance agreement amendment was “very necessary” and “helpful for us to implement and apply”.

Canadian organizations care about their reputation and they know that sound privacy practices will have a lasting impact on the legitimacy of their brand. They also know that the reverse is true, that if their customers find out about shoddy privacy practices, their businesses will suffer. This is why the digital privacy act would give the Privacy Commissioner broader powers to name and shame a non-compliant organization to encourage it to take corrective action.

If either of these measures fail to provide the right incentives for businesses to fix their privacy problems, Bill S-4 would give the Privacy Commissioner more time to take them to court. Under the current law, the commissioner only has 45 days after he finishes the investigation to take the organization to court.

The Privacy Commissioner told the standing committee that it was simply not enough time, given the high complexity of issues with which his office dealt. Quite often, the Privacy Commissioner will work with organizations for several months, if not a year, to ensure they follow through on their commitments to fix any problems he has identified. The problem, of course, is that organizations can simply delay taking action for a couple of weeks, knowing that after 45 days, the commissioner will no longer have the option to take them to court. Bill S-4 would fix this problem and would provide the commissioner with a year to take an organization to court for non-compliance.

I have just outlined the five major provisions in Bill S-4, which include: new data breach rules; clear requirements when obtaining consent from individuals, including from minors; changes to support other public interest objectives, like fighting financial abuse; reducing the red tape for day-to-day operations; and new compliance tools for the Privacy Commissioner of Canada.

It is clear that Bill S-4 would deliver a balanced approach to protect the personal information of Canadians, while still allowing the information to be available to the growing, innovative digital economy.

Karl Littler, vice-president of Public Affairs at the Retail Council of Canada, summed it up best when he told the standing committee:

Generally speaking, Bill S-4 strikes the right balance between action to protect digital privacy on digital fraud and financial abuse, while recognizing the strengths of PIPEDA and its forward-thinking technologically neutral approach.

We have it right with this digital privacy act. Both businesses and consumers have been empowered in this digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.

Bill S-4, the digital privacy act, would strengthen the rules protecting personal information, and that is essential to conduct business in virtually all sectors of the economy. The digital privacy act would go a long way to improving the protection of privacy for Canadians. I urge hon. members to join me in supporting this bill.

moved that Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, be read the third time and passed.