Bill S-4 (Historical)

Mr. Speaker, it is worthy to note that we are of the digital age and more and more Canadians are becoming aware and concerned that with one touch on a keyboard, one could have all sorts of information being transferred. It is an important issue for all Canadians.

The leader of the Green Party and the member made reference to the need for change. There were numerous amendments suggested. My colleague and I were just talking about how parliamentary secretaries should not be on standing committees in a voting capacity or otherwise.

A wonderful plan was released just yesterday by the leader of the Liberal Party. At www.realchange.ca one can see the 30-plus ideas and thoughts in terms of how we can effect real change.

I wonder if the member could highlight why he believes that the need for changing the system is so critically important. I suspect there would be a lot more support in the House if the government had accepted the amendments that were being proposed. That is the type of change that we need to see.

As many say, Ottawa is broken because of the actions of the government over the last 10 years.

Mr. Speaker, I have already spoken about the independence of committee chairs, how we could ensure that independence by how we choose the committee chairs and take that out of the hands of the government and party leaders. I have also already spoken about the idea of removing the possibility of parliamentary secretaries sitting as voting members of committees.

However, what I think is also important is that committees need to be given the resources to really acquire the independent expert analysis that they need for any proposed legislation.

I would supplement what I said earlier with respect to resources. More generally, there are a lot of cases where we can change rules, but unless we put resources behind those rule changes, we do not actually accomplish what we want to accomplish.

I would ask that in the next Parliament the House ensure that committees have the resources they need to hold the government to account.

Mr. Speaker, I will take the opportunity to ask the member if there is some aspect of the legislation that he personally would have liked to have seen changed or that he is concerned about.

Mr. Speaker, there was an amendment by my colleague, the Liberal member for York West, regarding the threshold at which a company or an institution was required to report an unlawful breach of personal information, not only to some authority, but to the individual related to the information of concern. The language was “represents a significant threat of harm to the individual”.

That amendment was important so Canadians could feel confident that if their information was released and if it would have any effect on them, they would be notified as well as authorities that could deal with the breach more generally.

Mr. Speaker, I will be sharing my time with the member for Kelowna—Lake Country. I appreciate the timeline on this.

I am pleased to rise in my place today to speak to Bill S-4, the digital privacy act, which would make a number of important changes to strengthen Canada's private sector privacy law, the Personal Information Protection and Electronics Documents Act, or what is more commonly known as PIPEDA.

Data breaches are very concerning to Canadians. In fact, a recent survey conducted by the Office of the Privacy Commissioner in 2014 found that news of data breaches among several large retailers had made 80% of Canadians more reluctant to share their personal information with businesses. This is simply unacceptable. Canadians needs to know that when they choose to share their personal information with a business, it will be protected and kept confidential.

The proposals in Bill S-4 will amend PIPEDA to significantly strengthen the current law and ensure that the privacy of Canadians will be protected when it comes to the rules that companies must abide by when they collect, use or disclose personal information in the course of commercial activities. In the current legislation, there is no legal obligation for businesses and organizations to tell customers and clients when their personal information has been lost or stolen.

The digital privacy act would correct this by making important changes to PIPEDA and implement new data breach requirements for businesses. These changes would ensure that organizations would be taking appropriate steps to notify Canadians. The requirement for mandatory notification is welcome by many stakeholders, in particular the Privacy Commissioner of Canada. In his recent annual report to Parliament on PIPEDA, he stated:

—we welcome the proposed amendment to PIPEDA in Bill S-4, the Digital Privacy Act, which seeks to implement mandatory breach notification.

He went on to say:

Mandatory notification will also provide a clearer picture of the frequency and type of data breaches experienced by organizations.

Mandatory notification would better inform Canadians of situations in which their personal information has been compromised. It would also enable Canada to keep pace with other jurisdictions where similar measures have been enacted or are being considered.

As we have discussed many times, strong rules are meaningless if they are not backed up with strong compliance tools. Bill S-4 would give the Privacy Commissioner of Canada the necessary tools to hold companies accountable when it comes to the protection of the personal information of Canadians.

In addition to the notification provisions, Bill S-4 would also require organizations to keep a record of the event, regardless of whether a breach posed a risk of harm. These records would not only allow organizations to demonstrate due diligence in the risk assessment, but would also require companies to keep track of when their data security safeguards fail so they could determine whether they have a systemic problem that would need to be corrected. What is more, organizations will be required to provide these records to the commissioner upon request at any time.

This record-keeping requirement will give the Privacy Commissioner the appropriate tools to hold organizations accountable for their obligation to report serious data breaches. Once again, I would like to quote the Privacy Commissioner's 2014 annual report, where he stated:

—requiring organizations to keep and maintain a record of breaches, and provide us with such information upon request would be an important accountability mechanism. Our Office would be able to evaluate compliance with the notification provisions and assess how organizations are deciding whether—

Mr. Speaker, the commissioner made this same point when he appeared before the Standing Committee on Industry, Science and Technology during its study of the bill. He said:

Requiring organizations to keep a record of breaches and provide a copy to my office upon request will give my office an important oversight function with respect to how organizations are complying with the requirement to notify.

It is up to all organizations to protect the personal data they have collected from their clients and customers. This is a responsibility that most take seriously. They understand that in the wrong hands this information could be used for nefarious purposes.

Most organizations in Canada are good corporate citizens. When the commissioner identifies that they are in violation of PIPEDA, they move quickly to correct their practices. Unfortunately—

Mr. Speaker, unfortunately, as lawmakers we know from experience that there will always be those who will break the rules. That is why Bill S-4 would make important improvements to PIPEDA's compliance framework. These changes would ensure the commissioner has the necessary tools to ensure organizations respect the law and protect the privacy of Canadians.

The digital privacy act would set out serious consequences for any organization that deliberately ignores its data breach obligations and intentionally attempts to cover up a data breach. Bill S-4 would make it an offence for any organization to deliberately fail to notify individuals, report to the commissioner, or keep the necessary records.

In these cases of deliberate wrongdoing, an organization could face fines of up to $100,000 per offence. I want to ensure this point is very clear. It would be a separate offence for every single person and organization that is deliberately not notified of a potentially harmful data breach, and each offence would be subject to a maximum $100,000 fine.

These changes are widely supported by stakeholders, as evidenced by witness testimony during the committee's review of the bill. Professor Michael Geist stated:

These disclosure requirements are long overdue as I think it creates incentives for organizations to better protect their information and allows Canadians to take action to avoid risks such as identity theft. There are aspects in this bill that are an improvement over the prior bills, Bill C-12 and Bill C-29, most notably the inclusion of actual penalties that are essential to create the necessary incentive for compliance.

At committee, the Canadian Internet Policy and Public Interest Clinic stated:

We're very grateful to see a penalty regime for instances where the breach notification obligations are knowingly ignored...The fines currently in PIPEDA are designed as penalties for very overt offences.

The list continues. The Canadian Bankers Association stated:

We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

The Canadian Life and Health Insurance Association Inc. was also supportive. It stated that the bill takes a balanced approach to the responsibilities placed on business and organizations, but most importantly, it will protect the consumer of those businesses, and gives individuals the information they need to take corrective action when it is necessary.

The digital privacy act does indeed take a balanced approach, one that avoids the over-reporting of harmless incidents while ensuring that the commissioner has the necessary tools to oversee whether organizations are meeting their obligations under Bill S-4.

This balanced approach would also ensure that punishment is reserved for the most egregious offenders, those who knowingly and deliberately try to circumvent the law. Those organizations caught making a mistake in good faith would instead work with the Privacy Commissioner under the existing dispute resolution tools in the act.

Our government recognizes that many organizations already notify individuals of data breaches in a responsible manner.

Let me be very clear. The penalties in the digital privacy act would target the bad apples, those organizations that willfully and knowingly disregard their obligations or, worse, cover up a breach.

The digital privacy act would encourage all organizations to play by the same rules. It would provide incentives to comply with the new data breach obligations, and also to implement appropriate data security practices to prevent breaches from happening in the first place.

By requiring organizations to keep records of their data breaches and by enforcing the requirements with stiff penalties, these amendments would increase the accountability of organizations to maintain good privacy practices and would provide the Privacy Commissioner with the tools he needs to enforce these protections.

I urge hon. members to join with me in supporting the bill.

Mr. Speaker, my colleague spoke in some detail about the bill, but I did not hear him talk about one very problematic clause.

Companies will be responsible for deciding whether to report a possible violation of the Privacy Act. They will have to decide whether they believe they have broken the law. Furthermore, they will decide whether their violations present a serious risk. This bill basically amends the law, but the member did not mention that all the changes benefit the companies, which will decide for themselves if there has been a violation and if that violation results in real harm.

Can my honourable colleague explain which Canadian interests are protected by this clause? It is not obvious to me at this time.

Mr. Speaker, I would like to tell my colleague that the bill is all about a balanced approach. If we look at what the Privacy Commissioner of Canada actually said, he said that the introduction of Bill S-4 is a positive development for privacy in Canada.

He said:

...I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill.

He also said:

Proposals such as breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians in their dealings with private sector companies....

The proposed voluntary compliance agreements will enhance my office's ability to ensure, in a timely and cost-effective manner, that organizations are meeting their commitments to improve their privacy practices without having to resort to costly litigation before the Federal Court....

That is good legislation.