Bill S-4 (Historical)

Mr. Speaker, the hon. member spoke at length in her comments about the Spencer decision.

The digital privacy act, to be clear, would not force companies to hand over private information to the police or anyone else without a warrant, and the independent officials who came before the committee, not cabinet ministers, who the hon. member has apparently such a hatred for, said that the Spencer decision has absolutely nothing to do with this piece of legislation.

I would like the hon. member to take this opportunity to point out very specifically where the Spencer decision has anything to say about PIPEDA or this particular legislation.

Mr. Speaker, first, I hasten to correct my friend. I have never spoken in this place, or in any serious location, with anything but respect and love for my colleagues.

My second point runs to the testimony provided by Professor Michael Geist that Bill S-4 runs contrary to the spirit of the Spencer decision and that, in fact, by allowing the disclosures to be made with upfront Internet service providers from telecom companies and so on without having the notification to the holder of the information, in his words:

The provision opening the door to massive expansion of warrantless, non-notified, voluntary disclosures should be removed....

Mr. Speaker, I have a question as a follow-up to the question that my Conservative colleague asked the hon. member.

The R. v. Spencer ruling came down after this bill was studied in the Senate. What is more, Bill S-4 is based on models from British Columbia and Alberta. Some aspects from Quebec are included as well.

However, we saw that a report was tabled by the Legislative Assembly of British Columbia, the region my colleague represents, saying that in light of the ruling in Spencer, it would amend its personal information protection legislation, known as PIPA. If we are basing our legislation on a model that is changing, then I think we have a problem.

Why are we incapable of working together to see what repercussions the Supreme Court ruling might have on our laws, when other legislation, on which we are basing our bills, is in the process of changing?

Mr. Speaker, I agree with my colleague.

With Bill S-4, the government missed out on an opportunity to introduce a system that is in line with the Supreme Court decision in R. v. Spencer.

It is too bad, because this really could have been possible with the amendments brought forward by the opposition parties. Every party here brought forward amendments that would have worked. However, the government decided to reject all of them.

Mr. Speaker, certainly the amendments the hon. member had presented at committee, both from the official opposition and by us, were just routinely dismissed. There was very little discussion, if any, and absolutely no room for any kind of serious work to be done because of the issue that if there were any changes, the bill would have to return to the Senate.

I would like to ask my hon. colleague if that was the reason all of our amendments were so quickly dismissed.

Mr. Speaker, I would have to say for my hon. friend from York West that I cannot offer any explanations for why amendments are rejected. We can say, though, that there is a pattern.

I have had the great good fortune—and I have to say I was very pleased—that in the committee looking at the pipeline safety act, two of my amendments were accepted. That is far more the exception than the rule. The vast majority of times in this place recently, bills go from first reading to royal assent without any amendments. That is quite against the tradition of the Parliament of Canada and the legislative drafting process and the role we all play as members of Parliament in improving legislation. That is supposed to be the point of the committee process. The legislative process is that we work together to improve legislation, not turn it into a partisan battle over every single amendment.

Mr. Speaker, I am pleased to be here today to speak to Bill S-4, the digital privacy act, which has been referred back to the House by the Standing Committee on Industry, Science and Technology.

As consumers, we are all aware that, in the digital world we live in today, our personal information has become increasingly more accessible. People and organizations exchange huge amounts of information over the course of the day, whether it be through email, Internet browsing, or financial transactions. Digital networks have fast become the most efficient and convenient method of communication for Canadians.

Our government takes the protection of this personal information very seriously. We recognize the importance of having strong privacy protections in place to ensure that organizations are properly safeguarding the personal information of individuals across this country. Bill S-4 would implement changes to the Personal Information Protection and Electronic Documents Act, known as PIPEDA. These modifications would ensure that organizations are taking the appropriate steps to address the handling and protection of information in today's digital era. This bill, entitled the digital privacy act, sets out specific rules that businesses and organizations must follow when personal information they hold is lost, stolen, or accessed, either for malicious purposes or as the result of an accident.

As we have seen in the past year, data breaches continue to present themselves as a major challenge to the privacy and security of information. Breaches can happen in any number of different ways and to any type of organization. Digital information can be stolen through sophisticated cyberattacks or through simple software vulnerabilities that are made public.

Take the Heartbleed incident, for example. According to Symantec, this software glitch that was exposed in 2014 left approximately 0.5 million trusted websites at risk of a serious data breach. Financial information and sensitive customer data can also be left vulnerable in the event of a data breach. Unfortunately, this is a familiar topic for Canadians in today's digital age. Take, for example, last September when Home Depot announced that a data breach by unknown hackers left as many as 56 million debit and credit card customers across North America vulnerable to fraud.

Research shows that the majority of today's data breaches are conducted with malicious intent. The Symantec Internet threat report states that nearly half of all breaches are caused by outside attacks and that these attacks are becoming increasingly sophisticated. Canadians are concerned about this. A recent nationwide survey on Canadian attitudes around data breaches concluded that this issue is creating significant public anxiety. The survey found that 79% of Canadians are worried about being a victim of a data breach. Data breaches are a top-of-mind issue for Canadians. This is not surprising, given the importance of the Internet in the day-to-day lives of Canadians.

Organizations should also be concerned about data breaches, given how expensive these incidents can be to businesses. It is estimated that the cost to combat and recover from data breaches worldwide last year was approximately $364 billion. Business owners need to know that consumer demand for responsiveness to data breaches is increasing. A nationwide survey highlighted that Canadians assume that companies will take immediate action in the event that personal information is lost or mishandled.

That is not all Canadians expect. The same study concluded that over half of all respondents want companies to do the following: provide clear information and instructions on how individuals can protect themselves; and provide them with free credit monitoring for a certain period of time in the event that a breach occurs.

With the digital privacy act, our government is responding to the needs and concerns of Canadians. First, companies would be required to put in place strong security measures to prevent data breaches. Second, companies would be required to respond to a breach if and when it does occur or risk facing a strong penalty. With the changes we have proposed in the digital privacy act, if a company has its computer systems hacked and believes personal information has been stolen, or if that information has been lost inadvertently, the company would need to take a number of steps.

The company would be required to assess the risk resulting from the breach, and if it determines that the incident poses risk of harm, it would need to notify the affected individuals and file a report with the Privacy Commissioner of Canada. On the subject of mandatory breach reporting, the Privacy Commissioner has stated that:

Mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information.

An organization would also have to keep a record of the event, regardless of whether a breach poses an obvious risk of harm. These records would not only allow organizations to demonstrate due diligence in their risk assessment, but they would also require companies to keep track of when their data security safeguards fail. This would help businesses determine whether or not they have a systemic problem that needs to be corrected.

What is more, organizations would be required to provide these records to the privacy commissioner at any time, upon request.

This record-keeping requirement would provide a mechanism for the commissioner to hold organizations accountable for their obligation to report serious data breaches.

Here is what the Privacy Commissioner had to say on record keeping:

I believe that the organization experiencing the breach is in the best position to assess risk and decide whether notification of individuals is warranted.

To provide an appropriate incentive to implement these measures, we believe that there should be serious consequences for intentionally ignoring them or attempting to cover up a data breach. Bill S-4 would make such deliberate acts a serious offence, punishable with fines of up to $100,000 per offence.

These changes are widely supported by stakeholders, as is evidenced by witness testimony during the committee's review of the bill.

The Canadian Internet Policy and Public Interest Clinic said that:

...we're very grateful to see this notification obligation coming into force. It's much delayed and needed.

The Canadian Bankers Association also came out in favour, stating that:

The banking industry supports the requirements in the Digital Privacy Act for organizations to notify individuals about a breach of their personal information where there is a real risk of significant harm.... We also support the Commissioner’s new oversight powers to ensure organizations comply with these new provisions.

Finally, the Canadian Pharmacists Association also expressed its support, saying:

For pharmacists who access a significant amount of sensitive information related to the medication and health of their patients every day, a breach or disclosure of this information has the potential to put the patient at risk.... As a result, CPhA believes that...reporting this breach to the individual concerned and the Privacy Commissioner are reasonable steps to take in order to mitigate any risk that may occur.

It's also reasonable for the organization in question to maintain proper records of these occurrences....

While there was broad-based support for the bill among stakeholders, the committee did hear some concerns about certain elements. One issue on which the committee heard different views is the threshold for reporting data breaches to the commissioner. Some stakeholders felt that the threshold is too high and that more breaches should be reported. Others thought the threshold is too low and that only material breaches should be reported to the commissioner.

The digital privacy act would take a balanced approach, one that avoids over-reporting of harmless incidents and yet allows the commissioner to oversee how organizations are meeting their obligations. The Privacy Commissioner agreed, telling the committee:

I support the risk-based approach that will require organizations to assess the seriousness of each incident and its impact on affected individuals.

Some stakeholders also expressed concern that the obligation to keep records of all data breaches is burdensome. However, the Privacy Commissioner, again, believes that the digital privacy act would get it right, telling the committee:

Requiring organizations to keep a record of breaches and provide a copy to my Office upon request will give my Office an important oversight function with respect to how organizations are complying with the requirement to notify.

Record-keeping can be done in a way that would minimize burden while still allowing businesses to demonstrate that they are conducting the proper risk assessments. The government would need to enact regulations to elaborate on what these records would need to look like and how long companies would need to hold on to them.

As a result, consultations during the regulatory development process would allow for further discussion, with stakeholder input, on this important issue.

Finally, some have questioned the need for fines in this area. The government recognizes that many organizations already notify individuals of data breaches in a responsible manner. However, we know from experience that there will always be those who try to break the rules.

The penalties in the digital privacy act would target those organizations that wilfully and knowingly disregard their obligations under the law or, worse, cover up a breach. These fines would not apply to organizations that make a mistake in good faith.

The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa told the committee that:

We're very grateful to see a penalty regime for instances where the breach notification obligations are knowingly ignored.... The fines currently in PIPEDA are designed as penalties for very overt offences.

Bill S-4 would encourage all organizations to play by the same rules and implement adequate controls and safeguards around the personal information they hold.

Furthermore, I encourage the House to oppose the motion put forward by the Green Party to delete clause 10 of Bill S-4. This would remove the new requirements for organizations to notify individuals who have been put at risk if their personal information is lost or stolen. The amendment ignores the advice of numerous privacy advocates including the Privacy Commissioner of Canada.

On several occasions, the commissioner has recommended that PIPEDA be amended to require mandatory data breach reporting. The digital privacy act would act on this recommendation, and the commissioner has expressed strong support for the approach taken in Bill S-4. The Privacy Commissioner and the majority of witnesses who appeared before the standing committee agreed that Bill S-4 is a significant improvement to PIPEDA and a necessary step in ensuring Canadians' personal information is safeguarded.

I think the Canadian Life and Health Insurance Association said it best in its witness testimony. It said that Bill S-4 takes a balanced approach to the responsibilities placed on business and organizations, but most importantly, it would protect the consumers of those businesses and give individuals the information they need to take corrective action when necessary.

Both business and consumers have been empowered in the digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.

Bill S-4 would strengthen these rules and increase the protection of Canadians' personal information. In summary, the digital privacy act would balance the privacy needs of Canadians and the ability of businesses to access and use personal information in their day-to-day operations. It would do this in a way that avoids over-reporting of harmless incidents while making it clear to businesses what their legal obligations are.

I hope we can count on the opposition's support and quickly pass the digital privacy act into law.

Mr. Speaker, the Conservatives came to the committee study of this bill with their minds already made up. They said that we absolutely had to pass this bill in its current form without any changes, otherwise the process would take too long, especially with the upcoming election. Everyone in the House knows that we will be having an election soon, but the Conservatives had four years to do something.

The member even said in his speech that this bill was overdue and that it was needed. Of course this bill is long overdue, because the Conservatives waited four years before they introduced anything. Bill C-12 disappeared completely, and some reviews of PIPEDA simply fell through the cracks because the Conservatives did not act. They could have voted in favour of my bill, Bill C-475, and the legislation would already be amended.

Why did they adopt that attitude at the committee meetings? How can they justify such an undemocratic attitude towards this bill?

Mr. Speaker, I find this question very interesting. Oftentimes we hear members of the opposition stand and complain that we are passing legislation too quickly. However as we pass this legislation, legislation that is really important to Canadians from coast to coast to coast, on the other hand, members obstruct time and again, moving motions that delay the operations of the House so that we cannot pass legislation that we need to get passed.

In this case, we have a piece of legislation that is incredibly balanced. Witness after witness throughout the committee process said as much. Certainly there were people on one side of some parts of the legislation and people on the other side of other parts of the legislation. We found time and again that the legislation came right down the middle.

Witness after witness said it is important for us to get this legislation passed, and I hope we can count on the opposition members. The opposition member who just asked the question has come out praising the legislation. We hope we will be able to get this legislation passed soon with the help of the opposition.

Mr. Speaker, I was not planning on asking my colleague a question, but I absolutely have to, when my hon. colleague talks about all of these witnesses after witnesses. It is like most of their legislation. I believe we had four or five meetings in total. At the Senate there were two or three, and in fact Professor Geist was one of the first witnesses who came to committee, and his first complaint was the fact that at the Senate there were two or three meetings, and that was it.

This is an important piece of legislation. My colleague suggests that there were so many meetings and lots of witnesses who came out. Yes, there was support because this is needed legislation, but there are ways of making the legislation better, which is what the official opposition, the Liberal Party, and the Green Party were trying to do. We were trying to improve the legislation, but we were given no chance at all.

Mr. Speaker, I do not know if there was a question there. It sounded more like a statement, and I find the statement interesting, because she sits on the committee. She is a good friend, but I do not remember her at any point, in committee or even privately, coming up to me and saying that we were not having enough meetings on this legislation. No one made that argument. Certainly amendments were put forward and were voted on by the committee.

I would also point out that the legislation we are looking at today largely comes from a unanimous report in 2007 that was supported by members from all parties. Many of the measures that we are talking about and hearing about in speeches from the other side are measures that were put in place based on the recommendation of a unanimous report from all parties in 2007.

Mr. Speaker, I thank my colleague for his presentation today on this important legislation. I would like to ask him, with regard to Bill S-4, if he could elaborate on how our government is working to protect and help vulnerable Canadians, especially children.

Mr. Speaker, again, that was an important part of the committee hearings. Witnesses came before the committee and talked about how the legislation needs to be changed to enable the sharing of information about financial abuse of senior citizens and others, for example, and not just information dealing specifically with children. They said that we needed to ensure that we struck a balance in protecting people's privacy while still being able to share information when people were vulnerable to financial abuse.

They also talked specifically about taking steps to ensure that when organizations are specifically targeting children, the information that they are asking for is clearly communicated in a way that a child or the person being asked for information would understand.

These are common sense changes that make this legislation even better.

Mr. Speaker, I find the question that was just asked to be a bit rich, given the fact that it is the current government that refused to spend $10 million and ripped it out of the RCMP budget. It was actually geared toward sexual exploitation. If the Conservatives are really serious about protecting youth, that is where they should have spent that money.

With respect to the bill, when we look at the amount of testimony and the number of people who indicated that there should be some amendments to it, we see that the opposition submitted 18 amendments, all of which were rejected. It is as if on that side of the House, they do not think anything can be improved unless it corresponds to their mindset.

Given that we proposed several amendments and that they refused to listen to the concerns expressed by the witnesses during the study, and given that every single witness and group that appeared before the industry committee argued in favour of amending the bill and making it better, I wonder why they did not do it. Why are they rejecting all amendments that could give Canadians the protection they want for their personal data and electronic documents? Why push forward with this legislation, which would likely not withstand a constitutional challenge? Can the member guarantee that this legislation would actually pass a constitutional challenge?