Bill S-4 (Historical)

Mr. Speaker, I am very happy to be in this place and to rise on behalf of the people of Okanagan—Coquihalla. I am also pleased to express my support for Bill S-4, the digital privacy act.

Bill S-4 provides a number of important updates to the Personal Information Protection and Electronic Documents Act. In my view, these updates are long overdue and will better protect Canadians, in particular consumers, seniors, and children, who could be more vulnerable to sharing personal information online.

I believe that most parents would agree that today's kids' use of the Internet and related digital technologies is unprecedented in our history. Today, children have access to everything online, from information for school projects to gaming, music, movies, and much more.

A wide variety of devices are used to engage in activities such as socializing or gaming with friends, and of course, sharing photos and videos on social media sites that can be viewed by people all over the world. A young teenager may have a picture or a self-made video viewed by tens of thousands of people. While that may be an exhilarating experience, I would also say that it could potentially be a dangerous one.

As we know, a survey conducted in 2013 found that 30% of grade 4 to grade 6 students had Facebook accounts. By grade 11, that increases to 95% of all students, and that is just Facebook. What about Twitter or Instagram or Snapchat?

Businesses are not naive to these trends. Online services can generate massive amounts of revenue. The action of collecting and analyzing personal information for marketing purposes is huge and increasingly valuable. This includes personal information taken from websites, apps, and search engines aimed at kids.

Do kids have any idea that their information is being gathered? Do parents? Is there a clear understanding of what happens to that information that is required to register and download or play a free online game?

Our government recognizes that the digital world offers benefits to children. We are also aware that the online community is often a reality in our day-to-day lives.

The skills kids develop by participating and navigating in online activities can create a significant advantage as they grow up and transition into the job market. Indeed, many high-school-aged kids today have as much, or more, online literacy than a technician would have had a decade ago. However, with growing participation in the online world come increased threats to privacy.

PIPEDA currently contains provisions that protect the personal information of children. As an example, businesses cannot obtain consent in a deceptive or misleading manner. The act also prevents companies from denying access to services on the basis of a refusal to share personal information.

The digital privacy act proposes an amendment to increase protection by creating new safeguards related to the collection, use, and disclosure of personal information. The bill would require that an organization ensure that users, as a group, were able to understand what happens to the information that is collected about them.

I would like to provide this place with a few examples of how the proposed amendment would work.

One example could be an educational website designed to help elementary school kids develop math skills. Under the proposed amendment, requests by that particular website to collect, use, or disclose personal information would need to be understandable by the average elementary school student. This would ensure that these requests used words and language that was appropriate for the website's target audience. Under the digital privacy act, it would not be reasonable to simply expect average elementary kids to understand what clicking the “I agree” box actually meant. If there was no clear understanding as to why the information was being collected, the company would not have valid consent.

As another example, in the case of a mobile app that allowed teenagers to create music recordings, that app would need to obtain the consent of these teens in a manner that would be different if the app were targeting adult users.

I am also aware that during the committee hearings on Bill S-4 , a number of witnesses shared their views on the proposed consent measures.

The Privacy Commissioner of Canada, when expressing his support for this amendment, stated the following:

it is a useful clarification of what consent is, and it has the potential of improving the situation for the issue of consent sought from children.... So, when the individual is a child, if your product is addressed to children, you should think about what is reasonable to expect of a child in understanding the consent being sought. Overall, I think, again, the definition of consent in Bill S-4 will assist generally and will assist particularly groups that are more vulnerable, like children.

The committee also heard from other expert witnesses who offered their support for the consent amendment. For example, the Retail Council of Canada stated its wholehearted support for this proposed amendment on valid consent, emphasizing in particular that, “a vulnerable population such as children should be protected”.

In addition, the Marketing Research and Intelligence Association, which represents the Canadian survey research industry, also wrote to the committee to share its views on Bill S-4. In its submission, it stated that the amendment “provides added clarity for organizations when they seek the valid consent of an individual when collecting, sharing and disclosing their personal information” and “that specifying the elements of valid consent will go a long way to protecting the most vulnerable Canadians, such as seniors and children”.

These are positive endorsements, and I believe they speak to the idea that children need and require extra protection when it comes to their online activities and the protection of their privacy.

In early May of this year, an international network of privacy commissioners, called the Global Privacy Enforcement Network, or GPEN, conducted a worldwide spot check on children's privacy protection. This privacy sweep, as it was called, looked at whether apps and websites worldwide inappropriately gathered information on children.

For some background, GPEN began conducting worldwide privacy sweeps in 2013. The first sweep focused on website privacy notices, and then in 2014, it focused on mobile apps. These sweeps have involved the active participation of Canada's own Privacy Commissioner. They have highlighted areas where privacy practices are lacking. Each time the sweeps have successfully resulted in concrete positive changes to a large number of apps and websites.

This year GPEN also looked at the types of information being collected from children and whether protective controls exist to limit that collection. This year's sweep also looked at whether these sites and applications take steps to make privacy policies understandable to kids, using things like simple language, large print, audio and animation, and whether parental involvement is encouraged.

The Privacy Commissioner of Canada had this to say about the children's privacy sweep:

Children are more connected than ever before and these platforms must bear that in mind when seeking potentially sensitive data such as name, location or email address. This is about protecting children. I can’t think of anything more important than that.

I agree with the Privacy Commissioner.

This year's sweep was a privacy spot check that included 29 data protection authorities from 20 countries, including the Privacy Commissioner of Canada. I believe that many members of this House will look forward to the results of this groundbreaking privacy sweep when it is released in the fall. I expect the results will be of assistance to the Privacy Commissioner and the private sector in determining where changes need to be made to comply with the new enhanced consent requirements under the digital privacy act.

Earlier this year, our Privacy Commissioner also published a top 10 list for protecting children's privacy for organizations with services aimed at children and young people. These tips offered by the Privacy Commissioner emphasize that when it comes to children, the privacy protection bar needs to be set extremely high. I submit that this is why the Privacy Commissioner of Canada has publicly recognized that the amendment would enhance the concept of consent.

We have heard from the Privacy Commissioner and from privacy commissioners that this is an emerging field. I believe that the amendments made to PIPEDA will help protect our children and other vulnerable populations, like seniors. I would humbly ask all members in this place to give these provisions their due review and support.

Mr. Speaker, I thank my colleague from Nipissing—Timiskaming for his speech on Bill S-4.

I worked on Bill C-51, which thousands of Canadians opposed. They were worried that the bill would invade their privacy and violate their rights and freedoms. In the answer he just gave, my colleague said that this bill was not necessarily perfect but that we need to take action. I have a question for him.

Bill S-4, and also Bill C-13, would allow greater access to personal information without a warrant and without provisions for a proper oversight mechanism. This is reminiscent of the extremely distressing Bill C-51, which we studied not too long ago.

Why is the government working so hard to allow snooping without a warrant by creating bigger holes with Bill C-13 and Bill S-4?

Mr. Speaker, I am pleased to rise to speak to Bill S-4, the digital privacy act, which has been referred back to the House by the Standing Committee on Industry, Science and Technology.

Last year, our government launched digital Canada 150, an ambitious plan for Canadians to take full advantage of the opportunities of the digital age. It is a broad-based, ambitious plan to take full advantage of the digital economy as we celebrate our 150th anniversary in 2017. It is the next step to build our nation and connect Canadians to each other.

As the digital economy grows, individual Canadians must have confidence that their personal information is being protected. That is why, under digital Canada 150, one of the five pillars is known as “protecting Canadians”. The digital privacy act would provide important and long-awaited updates to our private sector privacy law, the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA.

PIPEDA provides a legal framework for how personal information must be handled in the context of commercial activities, while also setting guidelines for the collection, use, and disclosure of personal information. These rules are based on a set of principles developed jointly by government, industry groups, and consumer representatives.

The digital privacy act would strengthen marketplace rules set out by PIPEDA in important ways. In addition to protecting and empowering consumers, amendments would clarify rules for businesses and reduce red tape. These guidelines would also ensure that vital information is available to Canadian businesses, so they have the necessary tools to thrive in the global digital economy.

Balancing the individual expectations for privacy and the needs of businesses to access and use personal information in their day-to-day operations is important, and Bill S-4 gets it right. It would ensure individuals that, no matter the transaction, their personal information would continue to be protected under Canadian law.

The need to update rules for online privacy continues to grow. Breaches of personal information held by retail giants like Target and Home Depot, where the credit card information of millions of Canadians was stolen, underscore the need to strengthen PIPEDA with mandatory breach requirements.

The bill before us would do exactly this by establishing new requirements for organizations to inform Canadians when their personal information has been lost or stolen and there is a risk of harm. The privacy commissioner must also be notified. An organization that deliberately covers up a data breach, or intentionally fails to notify individuals and report to the commissioner, could face significant fines as a result.

Let me now take a minute and point out some of the ways in which the bill before us would create an effective and streamlined regime for reporting data breaches. The digital privacy act would establish a clear and straightforward test that businesses must apply to determine whether or not they are required to report a breach. If a business determines that a data breach creates a significant risk of harm to a customer or client, then it must report this information both to the individual affected and to the privacy commissioner. If the organization determines that a data breach does not pose a risk of significant harm—that is, their data security safeguards were compromised but they avoided a situation where their customers are exposed to threats like identity theft, fraud, or humiliation—then that organization must keep a record of the breach.

The requirement to maintain these records, even if the breach is determined not to be serious at the time, would serve two purposes. First and most important, it would require companies to keep track of when their data security safeguards fail, so that they can determine whether or not they have a systemic problem that needs to be corrected. An initial breach may not be serious because the information lost is not particularly sensitive. The next time, however, the company and the individuals affected may not be so lucky. Keeping track of all breaches would help companies identify potential problems before individual privacy is seriously harmed.

Second, these records provide a mechanism for the privacy commissioner to hold organizations accountable for their obligations to report serious data breaches.

At any time, the privacy commissioner might request companies to provide these records, which would allow him to make sure organizations are following the rules. If companies chose to deliberately ignore these rules, the consequences, as set out under the digital privacy act, would be serious.

Bill S-4 would make it an offence to deliberately cover up data breaches or intentionally fail to notify individuals and report to the commissioner. In these cases, organizations could face fines of up to $100,000 for every individual whom they fail to notify. These penalties represent just one way in which the digital privacy act would safeguard the personal information of Canadians.

The Privacy Commissioner of Canada strongly supports the proposed data breach rules in Bill S-4. He told the standing committee that:

...I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill.

Proposals such as breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians....

Similarly, the Canadian Bankers Association voiced its support for these amendments, telling the committee:

The banking industry supports the requirements in the digital privacy act for organizations to notify individuals about a breach of their personal information where there is a risk of significant harm.... We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

I think it is clear that Bill S-4 would deliver a balanced approach to protecting the personal information of Canadians, while still allowing for information to be available in a growing, innovative digital economy.

Mr. Karl Littler, vice-president, public affairs, Retail Council of Canada, summed it up best, when he told the standing committee:

Generally speaking, Bill S-4 strikes the right balance between action to protect digital privacy on digital fraud and financial abuse, while recognizing the strengths of PIPEDA and its forward-thinking technologically neutral approach.

I think we have it right with the digital privacy act. Both business and consumers have been empowered in the digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.

Bill S-4, the digital privacy act, would strengthen the rules protecting the personal information that is essential to the conduct of business in virtually all sectors of the economy. The digital privacy act would go a long way to improving the protection of privacy for Canadians.

I urge hon. colleagues to join me in supporting this bill.

Mr. Speaker, I am sure my colleague would, but I think we will keep the topic on Bill S-4 today.

Mr. Speaker, it is my pleasure to speak to Bill S-4, and I would like to do so by addressing three themes. The first will be how Bill S-4 reflects rather badly on our democratic process. The second theme will be that Bill S-4 is already hopelessly out of date. It is behind the technological times. The third theme is that there are worrisome features in Bill S-4 to the extent that it would inadequately protect privacy, even within the limits of what it is trying to do.

On that first theme of democracy, we should recall that a lot of what has subsequently come through the House in a series of different bills started with Bill C-30, which I always called the Internet surveillance bill. It got so panned by experts and civil society that the government tried to take it off of the table in the House by sending it to committee for study before second reading. It then disappeared, because the government knew that too much in there had attracted too much early attention from Canadians.

I mention that, because parts of it have begun to reappear in bits and pieces since Bill C-30 disappeared.

Bill S-4 uses one of the same techniques as Bill C-30 to try to take it away from public scrutiny. It is ironic that the method it would use is one that was recommended by the McGrath committee in 1982 or 1984, which is to make better use of committees by having them look at bills before the principle of the bill has been fixed, by having the government send the bill to committee before second reading. That is between first and second reading. It would allow committees to effectively look at the bill as a strong draft from the government, but for MPs, presumably from all parties, to try to improve and perfect the bill without being hamstrung in the way we are now in our committee study of bills by the principle having been fixed, as it gets fixed when we go to second reading for a bill in principle.

Bill S-4 did get sent to committee and, surprise, surprise, with the way that the government has operated since I have been here and since it got a majority in 2011, there were no amendments. The government rejected every amendment and presented no amendments itself. It was as if it had not heard anything that had convinced it of anything, despite all of the witnesses who had appeared and who, in very measured tones and with a very focused analysis, had indicated that there were ways, even within the limited confines of what the government was trying to do in the bill, that the bill could be improved. However, the government, through its MPs on that committee, decided that the bill was fine as-is.

Look at House of Commons Procedure and Practice, second edition, on page 742. It tells us what this procedure was intended to be when the McGrath report came down in 1982 or 1984. It was intended to be an empowering mechanism for the House in relation to government legislation. It was meant to create more of a partnership between MPs and the government. It says:

This empowers Members to examine the principle of a bill before second reading, and enables them to propose amendments to alter its scope.

In the end, this was a subterfuge. Who here is going to doubt that the reason it was sent to committee between first and second reading was to get it off of the agenda in the House, which can tend to lead to a bill receiving more public attention and producing the kind of civil society push back that we have seen meet the government's bills on and on for the last little while? It was a mechanism to reduce its visibility and to have it reappear just about now, with two weeks to go, when there is no steam, no energy, nothing left for civil society to get its mind around in terms of general resistance.

My colleagues have mentioned a problem with this bill, as with other bills that start in the Senate, which is a structural problem that will hopefully be dealt with after the next election by having the Senate put in its proper place. There is also something here, which is that there has been no acknowledgement by the government that this bill probably does conflict with the Spencer decision of 2014 in the Supreme Court of Canada.

This decision recognized the nature of the privacy interests in Internet users' data, including all the metadata that identifies various features of their existence on the Internet, and indicated that in a police context, warrants are needed in order to get access to that information.

PIPEDA, as amended by Bill S-4, would now allow private sector organizations, using the guise of fraud investigations, contractual breach investigations, et cetera, to request of any other private actor all that same information, and nothing is put in here by way of safeguards. It is as if the Spencer decision never came down.

We have had no opinion tabled anywhere from the Department of Justice, through the Minister of Justice, to say that under section 4.1 of the Department of Justice Act, the minister has assessed that Bill S-4 complies with the charter, even after the Spencer judgment. That is because the government never tables opinions and never takes charter arguments seriously.

The record is clear. Last year alone, something like a dozen judgments came from the courts, and 10 out of the 12 found that the government's legislation breached the charter or other principles of law.

The bottom line is that this bill is not a good story for democracy, but that again, I am sorry to say, is not a new story.

The second theme is that the bill has missed the boat.

This all started in 2007. That was when the PIPEDA review was mandatory under the statute, and very quickly a couple of different bills began to appear in the House. They just never got through the minority Parliament at all. Nothing really changed along the way. The government is still stuck back in whatever its thinking was around 2007.

Let me quote from the Library of Parliament's background paper on Canada's federal privacy laws. It says:

As advances in technology increase the ease with which information about individuals can be gathered, stored and searched, the need to protect the privacy of such information presents a rapidly evolving challenge for legislators.

That challenge has not been met. It is as if the government does not know how much of an information economy we have rapidly, almost exponentially, year by year, evolved into being.

How about these basic facts?

The world's largest taxi company right now has no cars. It is the largest taxi company because it has information. That is Uber.

The world's largest accommodations company, Airbnb, owns no property, but it is the richest and largest company by virtue of how it owns information.

The world's largest retailer has absolutely no inventory. That is Alibaba, in China.

This is the world we live in now, and there is nothing in the PIPEDA amendments, in Bill S-4, to indicate the government is at all aware of what it means to be living in this economy.

We should think about the so-called Internet of Things. According to recent research, by 2020, 26 billion devices will be connected to the Internet. That is roughly an average of something like three or four per person on earth. There is no evidence that this bill even comes close to understanding the privacy issues that arise from the fact that we are increasingly living in a connected world in which our phones will be reporting on our heart rates, our fridges will report on our eating habits and even order our groceries, self-driving cars will be out there on the roads, and thermostats and smart meters will monitor our every movement. There is nothing in the bill in that regard. All I would say is that amendments that are 10 years out of date are not exactly something to write home about.

The third theme is the inadequacies and the problems in the bill.

Let me just list them. They have been mentioned before.

First, the way in which the bill deals with giving consent on the web is inadequate after the Spencer case.

Second, the loophole that allows for private organizations to pass on information without any kind of safeguard system analogous to a warrant system, on the simple basis that they are investigating breaches of agreement or fraud or financial abuse, is a recipe for incursions into privacy.

Third, I would end by saying that the reportability standard whereby, if there is a breach of data, a company or holder of the data must tell the person whose data has been lost on the basis of a real risk of significant harm is a subjective standard that is assessed by the company. There is no real system to ensure that it does not become a mechanism for breaches to be hidden from public view and hidden, therefore, from accountability.

Mr. Speaker, Bill S-4 would better protect the privacy of Canadians by requiring organizations to inform Canadians when their personal information had been lost or stolen. Organizations would also be required to keep all records of data breaches and report significant breaches to the Privacy Commissioner of Canada. Organizations that deliberately covered up a data breach or intentionally fail to notify individuals and report to the commissioner could face up to $100,000 for every individual they have failed to inform.

The law being put into place would protect Canadians. It would force businesses to be expedient when they were dealing with the personal information of Canadians. I trust that businesses in our country will take this very seriously when they look at the penalties that are in place for any breach of privacy that might occur.

By keeping these records, if a complaint is laid, the Privacy Commissioner can go to the records at any time and if the breach has not been recorded or if there is any further breach, the maximum penalty can be applied.

Mr. Speaker, I am pleased to rise today to speak Bill S-4, the digital privacy act, which would significantly strengthen Canada's private sector privacy law.

In today's increasingly digital world, Canadians need to have confidence that their online transactions are secure and their privacy is protected. Unfortunately, data breaches, computer hacks, malware and other online threats are simply a reality of today's modern digital landscape. If Canadians do not trust that their private information is safe when it is in the hands of business, then they will not provide it. Without the free flow of information, our digital economy will stall. This is why strong, effective privacy laws that protect personal information are essential to building consumer trust and confidence. Canadian businesses need clear and balanced rules to follow so that their handling of personal information meets the expectations of Canadians.

The digital privacy act would provide important improvements to Canada's private sector privacy legislation, the Personal Information Protection and Electronic Documents Act, PIPEDA. Canadians want control over their personal information and our privacy laws give them exactly that. PIPEDA requires businesses to obtain a person's consent before collecting his or her personal information and ensures that this information is used only for the stated purposes. PIPEDA also gives Canadians control over which type of information is collected about them, how it is used and with whom it is shared. PIPEDA holds businesses accountable for the private information they hold, requiring them to keep it safe and out of the hands of hackers or thieves.

Further, the law gives Canadians the right to access their information at any time to make sure that it is accurate while also giving the Privacy Commissioner strong tools to enforce compliance. Privacy is a major concern for Canadians and they want to know that their personal information is secure. Businesses that can offer that security have a clear competitive advantage.

If I have a choice between a company that does not make protecting my personal information a priority versus one that tells me exactly what information it is collecting and how it is protecting it, I am going to choose the business that offers me the most protection. Businesses that are clear about what they are doing with personal information and have appropriate safeguards in place to protect that information will have an advantage in the marketplace.

Thankfully, limiting the collection, use and disclosure of personal information, having appropriate safeguards and being open about privacy practices are all part of the founding principles of PIPEDA. PIPEDA applies to all private sector organizations operating in Canada. It came into force on January 1, 2001, and its framework has stood the test of time. It is based on a set of 10 internationally recognized principles called the fair information principles. These principles give individuals control over their personal information and the way it is managed in the private sector. They establish strong privacy rights for Canadians and real obligations for companies.

By requiring businesses to protect personal information, PIPEDA is not only protecting the privacy rights of Canadians but is helping contribute to a vibrant Canadian economy. These founding fair information principles for PIPEDA mean that the act is flexible and scalable and allows data to move seamlessly across borders, all of which are good for Canadian businesses. PIPEDA is a flexible piece of legislation. It is technology neutral, which means that it evolves and will apply to new technologies in businesses as they emerge. It applies to all categories of businesses, not just one sector. It also lets companies find innovative new ways of protecting privacy because it is not overly prescriptive.

As I said, PIPEDA is also scalable. It applies to organizations of all sizes in Canada. Whether a small business or a large multinational corporation is doing business in Canada, it is governed by PIPEDA. Having a foundation based on these internationally recognized principles, being flexible and scalable, all contribute to PIPEDA reducing unnecessary red tape for businesses while also maintaining and protecting the privacy rights of Canadians. This puts Canada at a strategic advantage globally.

PIPEDA's balance between these two approaches allows Canadian businesses to be competitive in different markets around the world. By not being overly burdensome, PIPEDA allows Canadian businesses to adapt to new technologies as they emerge, thus allowing them the opportunity to compete with international markets and increase their revenues. At the same time, because PIPEDA is not overly lenient, Canadians can feel secure that their personal information will be protected in their dealings with businesses in Canada. It is clear that privacy is important for businesses and our economy.

Clearly, PIPEDA supports business activities, while protecting the personal information of consumers. Bill S-4 takes Canada's privacy protection a step further and clarifies rules for businesses.

Our government recognizes that companies need to have access to and use personal information to conduct business activities. That is why Bill S-4 provides a clear set of guidelines for businesses when it comes to the collection, use and disclosure of the personal information of Canadians in the course of commercial activities. These activities can include undertaking a merger or acquisition, processing an insurance claim or simply share an employee's email address and fax number with another company.

Bill S-4 would maintain PIPEDA's balanced approach and would provide important clarifications for businesses to conduct themselves with confidence, while at the same time offering consumers the assurances they need that their information is being protected.

The digital privacy act would also provide for oversight and accountability to ensure that when safeguards failed, individuals would told about it and could take the appropriate measures to protect themselves.

The balanced approach found in PIPEDA and continued in Bill S-4 is an important element in establishing a growing trust and confidence in today's digital economy. Once again, it is that consumer trust and confidence that will help businesses and the economy to flourish. It is that trust and confidence that will help us to continue to build a digital Canada.

Thanks to PIPEDA and the improvements proposed in Bill S-4, Canadians can be confident that their privacy is being protected when they provide their personal information to businesses.

The digital privacy act proposes common sense changes that will reduce red tape for businesses, while also maintaining and protecting the privacy of Canadians. A clear set of rules for privacy protection allows businesses to focus on providing exceptional service to their clients, while simultaneously offering them an advantage in today's increasingly competitive worldwide marketplace.

I want to take this opportunity to urge all hon. members to join me in supporting the bill.

Mr. Speaker, the NDP is entirely supportive of the need to update our privacy laws, especially in the digital age, when we frequently share our private lives online. However, something about this bill really bothers me, which is why the NDP will not be supporting it.

Unfortunately, although the bill is called the digital privacy act, some of its measures actually work against privacy by opening the door to more sharing of personal information among organizations, on a voluntary basis, without the knowledge or consent of the individuals in question. The Privacy Commissioner even raised some concerns about this. This will really open the door to a lot of information sharing. Sometimes it will be for legitimate reasons, and sometimes not.

Why has the government not taken action in this regard? Why did it not include the amendments put forward by the Privacy Commissioner to ensure that this bill really does protect Canadians?

Mr. Speaker, I am pleased to have the opportunity to speak to Bill S-4, the digital privacy act. The bill would make significant improvements to Canada's private sector privacy legislation, the Personal Information Protection and Electronic Documents Act, or PIPEDA.

One aspect of the digital privacy act that has not received a lot of attention is how the bill would help reduce red tape for businesses. Reducing red tape for Canadian businesses saves money and helps encourage greater investment in our economy. I would like to focus my comments today on these important changes.

We must always bear in mind that strong privacy legislation is not just good for everyday Canadians; it is also good for businesses. In our rapidly evolving digital economy, personal information is becoming increasingly valuable, creating tremendous new opportunities for businesses to innovate and develop new products and services.

Canadians will not provide their private information to businesses if they do not trust that it will be protected. At the same time, if the rules are too cumbersome and complex for businesses to manage and show no clear benefit to consumer privacy, then companies will struggle to implement them. It is for these reasons that the digital privacy act proposes a number of common sense changes to help businesses protect privacy in a way that does not hinder their ability to conduct business.

All of these changes make sense. They were all identified by the Standing Committee on Access to Information, Privacy and Ethics when it conducted the first statutory review of PIPEDA back in 2006. Businesses have been waiting a long time for these changes, and it is important that we move now to implement them. I would like to briefly touch on each of these important changes.

The first changes are in relation to business transactions. Currently, if a company wants to examine personal information as part of its due diligence—for example, if a business is thinking of buying a magazine and would like to look at the list of current subscribers—it first needs to obtain the consent of each individual subscriber. This requirement not only presents a tremendous burden for the company but is also often impractical, given the confidential nature of most prospective business transactions.

Bill S-4 fixes this problem by creating an exception to the requirement for consent that would allow businesses to share information in this context. This must be done in such a way that the privacy interests of those involved are protected.

Under the digital privacy act, information could only be shared for the purpose of assessing the feasibility of the transaction. If the transaction did not proceed, the information would have to be destroyed or returned. If the transaction did proceed, then the individuals would have to be informed.

This amendment would implement a recommendation made by the standing committee during the first statutory review and is modelled after a similar exception that is currently in place in Alberta and British Columbia under their private sector privacy laws.

In addition, the amendment has widespread support among stakeholders. Ms. Éloise Gratton, a lawyer with the Borden Ladner Gervais law firm, appeared before the Standing Committee on Industry, Science and Technology. She said:

I offer my support to two important provisions in the bill: mandatory breach notification and business transaction exception.

The next important amendment I would like to highlight is the change to how business contact information is dealt with under PIPEDA. Currently, certain types of business contact information are not defined as personal information. Specifically, a person's business title, address, and telephone number are not considered personal information and are therefore not regulated.

As was pointed out during the first statutory review of PIPEDA, this would present an obvious problem: only a few bits and pieces of information are considered to be business contact information under PIPEDA. A person's work email address or fax number or their LinkedIn account or a business Twitter handle are all considered personal information.

The digital privacy act would correct this problem by creating a technology-neutral definition of “business contact information”. It would do this by being inclusive of all types of communication points of contact, such as social media applications like Twitter and LinkedIn. With this change, a sales manager would now be allowed to share an employee's work email address with a client without having to get permission first. This would create a better balance between protecting privacy and allowing information to flow in a digital economy. At the same time, the act would continue to protect business contact information if it is used outside of a business context.

Another important amendment in the digital privacy act would be the clarification around the rules for when someone's personal information is included in their work product. An example would be when a garage mechanic signs off on a vehicle's inspection or a work estimate. The fact that the mechanic signs off on the estimate would mean that it now contains his personal information.

Currently, under PIPEDA, a business must obtain an individual's consent to use or share any work product he or she creates if it contains the individual's personal information. Again, this seems like a rather silly and unnecessary bit of red tape. Bill S-4 would fix this problem by ensuring that businesses can use their employees' work without getting the employees' consent.

Finally, the digital privacy act would ensure that insurance companies can use witness statements when assessing or processing any insurance claim. Witness statements provided to the police or other investigating authorities may contain personal information. For example, if I were to witness someone running a red light that results in a car accident, my statement to the police would include personal information. Currently, under PIPEDA, an insurance company processing any claims for the accident would need to get the consent of anyone named in my witness statement in order to use it. Such a requirement would create the potential for someone who breaks the law to use privacy as a shield to avoid responsibility for his or her actions.

The digital privacy act would fix this problem with an amendment that would enable an organization to obtain a witness statement without having to obtain the consent of an individual whose personal information is contained within it. However, this experience would only apply when the information is necessary to assess, process or settle an insurance claim.

In addition to strengthening privacy protection in Canada through measures like mandatory data breach reporting and stronger enforcement powers for the Privacy Commissioner, which had been discussed extensively in this place, the digital privacy act would also make a number of important changes that would cut red tape for Canadian businesses.

I hope hon. members will join with me in supporting a balanced and carefully considered bill that would dramatically improve Canada's privacy law.

Mr. Speaker, I am pleased to rise in the House today to speak to a bill, perhaps for the last time in this 41st Parliament. I would like to thank the interpreters, who have helped us so much these past four years, as well as the team of clerks and pages and everyone who supports our work every day.

In the digital age, privacy is extremely important. It often feels as though I have a clone that is wandering around computer networks with information on my life, my past, my present, my sexual orientation, my purchases, my consumption and my travels. All of these data are like a twin over which I have no control. That is a problem.

Unbeknownst to me, my twin goes from company to company, government agency to government agency. No one will inform me that an agency is using the information my clone carries to determine how it will approach and deal with me.

A number of distinguished analysts who testified obviously told us that this bill could be challenged by the Supreme Court. The court recently ruled that a warrant was required to access the personal information and IP addresses of customers of Internet service providers. It is therefore highly likely that a number of provisions in this bill will be challenged by the Supreme Court.

The Conservative government has a strange relationship with the Supreme Court. This will not be the first time that a bill has ended up before the Supreme Court. Under the Conservative government, we have gotten used to seeing bills that, according to experts and parliamentarians, violate our charters and our laws. These bills risk being challenged by the Supreme Court and, in fact, they are being challenged. The government has suffered many defeats, and yet again it is risking being put in its place.

Introducing these constitutionally weak bills is a real waste of time. How insulting it is to the intelligence of the members of this Parliament and the members of civil society who give their input on these issues. What contempt it shows for our institutions and the Canadian Constitution.

The Conservatives have botched the drafting of dozens of bills. Take Senate reform as an example. Everyone knew that that measure would be declared unconstitutional, because 50% of the population would have had to agree, but the government went ahead with the measure anyway.

As for the appointment of Justice Nadon, everyone said that it would not work. The appointment was challenged, and Justice Nadon was ineligible under the Supreme Court Act. The matter still had to go to court, but everyone knew how it would end. Once again, it was an insult to the intelligence of parliamentarians and the experts who were advising us.

Another example is the repatriation of Omar Khadr. Two Federal Court rulings and a Federal Court of Appeal ruling ordered his repatriation, but the government still took the matter to the Supreme Court. What happened? The Supreme Court of Canada upheld that young man's rights and even said that they had been violated since he was captured in 2002. The government's attitude puts it at odds with civil society, the opposition members and the Supreme Court.

We told the House that mandatory minimum sentences were not constitutional. The government pushed ahead anyway. What happened? The Supreme Court said that the opposition was right and that these sentences were not constitutional. The Federal Court of Appeal had come to the same conclusion, but the government did not listen to that court.

The government tried to close safe injection sites by passing a law. What happened? The Supreme Court found that the site in Vancouver could continue to operate without the risk of criminal prosecution. The government's refusal to grant an exemption to InSite violated the right to life guaranteed in the Canadian Charter of Rights and Freedoms. This once again showed the Conservative government's contempt for our institutions, the Canadian Constitution and the Canadian Charter of Rights and Freedoms.

The Conservative government also lost its case before the Supreme Court regarding the retroactive application of the Corrections and Conditional Release Act. It was not constitutional to do away with accelerated parole review. Those who challenged it were granted parole. The NDP told the House that the measure would not work and that it violated the Canadian Constitution and the Canadian Charter of Rights and Freedoms. The government did not listen. It went to the Supreme Court and lost once again.

Another case that the government lost before the Supreme Court is the case regarding the Canadian securities commission. We told them that setting up a Canada-wide commission would not work since that is an area of provincial jurisdiction. The government did not listen to us and said that it was going to set up the commission anyway. The government went to court and the Supreme Court told the government exactly what the opposition had told the House. What is more, the Supreme Court suggested that the government take a co-operative approach. This government has failed to co-operate with the provinces, as we have seen with the TFSAs in the latest budget. By 2080, that measure will cost the provinces $34 billion. Did the government discuss that with the provinces? Did it seek to co-operate with them? Not at all.

I am getting to my last and main point: Internet users' privacy. The issue is whether searching through people's personal information is lawful or not. I am reiterating this because the government has to understand that it cannot use any pretext whatsoever to search through people's personal information: the police need a warrant to obtain the name, address and telephone numbers associated with a subscriber's IP address. The Supreme Court has told the government that.

We are debating Bill S-4, which could still go to the Supreme Court. How do we know? We listen to the experts. Not all members claim to be experts in law, computer issues and general issues that apply to data management. People appeared before the different committees, in the Senate and the House of Commons, to explain why the current version of this bill is weak. We spoke about Michael Geist earlier. In his testimony, he said that although the government claimed that Canadians should not worry about this provision, this exception will let companies share personal information with other companies or organizations without the court's authorization. That is one of this bill's flaws. He added that the failure to require transparency, disclosure and accountability with respect to the communication of information without a warrant was a glaring omission in this bill.

This is not the first time that we have told the Conservatives that their laws are flawed. They are unconstitutional. Here again, provisions will be struck down by the court. Why not fix this now? Why waste time, money and energy in the Supreme Court just to be slapped on the wrist again? The Conservatives have been slapped on the wrist 10 times by the Supreme Court. They may want to continue. Perhaps systematically going against Canada's Constitution and the Canadian Charter of Rights and Freedoms is part of their political agenda. That seems to be the case. The Conservatives do not like the Canadian Charter of Rights and Freedoms, because in the case of the 10 laws that I mentioned, the Conservatives went against the charter.

Is there someone who can read it and interpret it properly? Why not listen to the opposition once in a while?

Mr. Speaker, I want to thank my hard-working colleague for the very thoughtful question. There is nothing more important than one's private information. There is some information people just do not want to share with other people. We have insisted on removing the provisions in Bill S-4 that would allow organizations to share personal information without Canadians' consent and without a warrant. We have also said that there are loopholes in this bill that need to be addressed. We tried to address them with amendments, but of course, we were ignored.

However, we are not the only ones who are saying that. Here is a quote from Michael Geist, who is a law professor at the University of Ottawa:

the broad provision that we have here opening the door to massive expansion of non-notified voluntary disclosure without any of the kinds of limitations that we typically find even the courts asking for should be removed.

He has also said:

While the government has claimed that this provision should not concern Canadians, the reality is that the broadly worded exception will allow companies to disclose personal information to other companies or organizations without court approval.

It is a lack of transparency, a lack of disclosure, and a lack of reporting requirements and believing that these companies can police themselves. Surely we have learned lessons from other situations. There are some glaring omissions in this bill, and they should be addressed.

As a matter of fact, Michael Geist even says, “[This bill] is both not well studied and ought to be fixed. Canadians deserve better”.

Mr. Speaker, I thank my colleague for her speech on defending privacy and people's personal information.

Through Bill S-4, the Conservatives are making a third attempt at talking about privacy protection, but they missed the mark yet again. As my colleague pointed out, the opposition parties, including the NDP, proposed a number of amendments, but the Conservatives categorically rejected them all.

Some of the amendments would have prevented companies from determining whether or not privacy has been breached and whether or not complaints should be addressed. We want a third party to take care of this in order to keep the process transparent and effective.

We are also calling for the Federal Court decision to be complied with so that information shared between companies is better protected and Canadians' personal information cannot be shared without their permission.

Bill S-4 does not do any of that. We are talking about a very serious breach of privacy. The current Privacy Commissioner raised some concerns about this. This bill still has a number of major flaws.

I would like my colleague to comment on that.

Mr. Speaker, it is my pleasure today to rise and speak to Bill S-4.

As my colleague mentioned a couple of minutes ago, I too have very serious concerns that here we are in a parliamentary democracy with elected MPs sent here by their constituents to do the work of Parliament, and Conservatives have brought forward a bill introduced by the unelected Senate. It sort of begs this question. What was the real agenda behind doing this? Was it to fast-track it? Was it to try to give the Senate some sense of credibility as it goes through some very difficult and challenging times?

Nevertheless, it is about process, and now that I have made my point, I also want to make the point that in Parliament, as my colleague across the way pointed out, there is a natural rhythm as to how bills are introduced in the House and debated. The government, in its wisdom, first took a Senate bill instead of spending the time, of which it has a lot, to bring forward its own bill. It took a Senate bill and, even before second reading, basically declared that it was not willing to accept any amendments, which really makes one wonder what the purpose has been behind a lot of legislation.

Now I know that my colleagues across the way have an allergy to evidence, science, and data and do not really like listening to all the expert witnesses that are flown in to appear before committees. The interesting thing is that even before they heard from those witnesses, they started to make comments such that they did not want to accept any amendments because if they did, the bill would have to go back to the Senate. It does not seem to me to be a good reason to bring forward legislation that is poorly thought out.

I am not saying it is not needed. It is.

As a matter of fact, my esteemed colleague from Terrebonne—Blainville introduced Bill C-475, which would have actually addressed many of the concerns that Canadians want addressed. That is an example of a well-thought-out bill that would not overreach but would actually do the job that is needed, which is to modernize our code of conduct around personal information. With the advent of electronic and digital media, we absolutely need some changes.

Getting back to the bill, once again, it is a process that is flawed. Experts came forward and gave testimony. I sometimes wonder, if the government's mind is already made up that it is not going to accept any amendments, what the purpose is of flying in experts to present their testimony. To me, that is the highest sign of disrespect. It basically says the government has already made up its mind, but just to make witnesses feel better, it will hear from them. That is really bad form.

Here is something else. The NDP put forward 18 amendments, well thought out and researched, supported by the evidence that was presented and by experts; and other people presented 14 other amendments. True to their commitment or the bizarre statement before the bill got debated, there were zero amendments accepted by my colleagues across the way. So much for committees working with consensus.

I have often heard ministers from the other side of the House say they have to rush things through the House because at committee stage experts will be heard and that is when we get to have the really meaty debates. I have never bought that, and evidence bears out that it is not how committees work. Despite hearing expert witnesses and hearing from the opposition, the Conservative government accepted zero amendments, and that says a lot about the process.

Now the bill is back in the House, and we are debating it, but once again, there is time allocation. The government could have moved on the bill over the last number of years, but it chose not to. Here we are in the last three weeks, when suddenly the Conservatives have rediscovered that they had better do something. After all, it is election time. They are now moving time allocation to prevent the Canadian public from knowing what is really in the bill. One way to do that is to limit and shut down debate, which seems to be a very common move by the government.

Here are some facts and figures. The Conservatives made 1.2 million requests to telecommunication companies to obtain Canadians' personal information in just one year. Some 70% of Canadians feel less protected today than they did 10 years ago. With this bill, they have reason to feel even more concerned and worried, because now there are all kinds of loopholes in the bill whereby their information can be shared way beyond the person they give it to.

Some 97% of Canadians say they would like organizations to let them know when breaches of personal information occur. That is reasonable, but if companies are giving away data themselves, I personally see that as a breach, because they have breached my trust, because I gave the data to them. We have some concerns around that as well. Some 80% of Canadians say they would like the stiffest possible penalties to protect their personal information, and 91% of respondents—not 51%, not 41%, not 21%, but 91%—are very or extremely concerned about the protection of privacy. It seems to me that the government should be paying some attention to what Canadians are feeling and their fears.

There was also a Supreme Court ruling, on June 13, 2014, pertaining to the sharing of personal information. The Supreme Court stipulated that subscriber data, including name, address, email address, phone number, ID address, et cetera, cannot be disclosed to a third party without a warrant. In light of this decision, the constitutionality of certain provisions in Bill S-4 is questionable.

I am sitting here thinking that a government that really wanted to do due prudence would actually pay attention to the fact that the Supreme Court had made a ruling. Despite that ruling, we did not see any amendments from the Conservatives, nor were they willing to accept any of ours, which really lets me know that to pander to their friends, they are willing to sell out Canadians, they are willing to ignore the Supreme Court ruling, and they are burdening hard-working taxpayers with future challenges in the courts, because that is where this will certainly end up.

The NDP believes that Canada needs a mandatory data loss or data breach reporting mechanism based on objective criteria. We are not the only ones who are saying that. Witness after witness said that we need the Privacy Commissioner to have some powers over this.

Huge companies get our data through nefarious means, some of them very innocent, like when we pay bills with a credit card. They not only get what we paid and where we bought something but all that micro-targeting information can now be moved on to other companies when a company deems fit. To me, that is just not acceptable.

I would urge my colleagues across the way to not ignore Canadians or the Supreme Court ruling. Let us make sure that we address the deficiencies in this bill.

Mr. Speaker, I am less interested in the speech that my colleague was given to read into the House of Commons today and more interested in hearing his views about the fact that the bill is labelled “S-4”, which means it did not originate in the House of Commons; it originated in the Senate.

In my view—and I would like the view of the member for Elmwood—Transcona, to see if he agrees with me—senators have no legitimate right to introduce legislation. No one elected them to be legislators. In fact, they are appointed, usually because they were good fundraisers on behalf of their party. They were hacks and flacks and fundraisers, and they get rewarded with this lifetime sinecure in the other place.

For God's sake, how did we ever get to the point where we are debating legislation that they have developed? How have we slipped to this, in the status of our parliamentary democracy, that it is the House of Commons' job, that the elected representatives, the duly, democratically elected representatives in the House of Commons, have to end up debating legislation that was put together by a bunch of unelected, undemocratic, and under indictment half the time, senators?

Does he agree with me that there is something fundamentally wrong with this picture? Will he stand up on behalf of his elected colleagues in the House of Commons and say the bill has no legitimate right to be in the House of Commons, never mind the points he was making about its relative merits?