Bill S-4 (Historical)

Mr. Speaker, my Conservative colleague spoke about corporate accountability with regard to privacy protection. However, she knows full well that Bill S-4 allows those same businesses to decide for themselves whether or not they will address the complaints people make regarding the use and sharing of their personal information without their knowledge, without consultation and without a warrant.

Many witnesses told the committee that there is a problem with transparency in this bill and that it creates a conflict of interest because the company at fault is the one that decides whether or not the complaint will be addressed. This bill does not provide greater protection for consumers and Canadians. On the contrary, it opens the door to abuse. Many people and experts told the committee that the bill is seriously flawed.

I am wondering how the member opposite can say that this bill is going to protect children when it is flawed. Even the Privacy Commissioner said that the bill does not have the power to really protect Canadians.

Mr. Speaker, if a company refuses to co-operate with requests for information, the commissioner could publicly disclose this fact, which would send a signal to consumers of the privacy implications of the organization's practices. The organization would, in turn, have to explain to its customers why it is not respecting Canadian privacy law, and this change would ensure that Canadians are informed and aware of issues that affect their privacy, so that they can make educated choices to protect themselves.

Our government is taking action to give the privacy commissioner powerful new tools to promote compliance with PIPEDA, whether through binding agreements, the possibility of court action, or being held to public account. These proposed amendments would increase the accountability of organizations to maintain good privacy practices, and if they do not report a breach, they would be heavily fined for each name that is disclosed, up to $100,000. When a company has thousands of clients, that could add up to quite a bit of money.

Mr. Speaker, in committee, one of the issues that was discussed at length is elder financial abuse. I would like to ask the member how Bill S-4 would work to combat this serious problem in our society today.

Mr. Speaker, unfortunately, senior abuse is a tragic fact in our society, and our government has put forth common-sense proposals in the digital privacy act to combat financial abuse of seniors. The digital privacy act would not broadly expand warrantless disclosure but would narrowly allow banks and other financial institutions to voluntarily disclose financial abuse to the proper authorities. It is a targeted proposal that would help combat the unfortunate situation of financial abuse of the elderly.

Mr. Speaker, I am pleased to speak about a topic as important as privacy protection.

We need to amend the Personal Information Protection and Electronic Documents Act to bring it in line with the reality of the digital era. The bill seeks to impose new requirements for the collection, use and disclosure of personal information by a company or organization.

What really bothers me about this bill is the provision that would allow organizations to share personal information without a warrant—yes, I did say without a warrant—and without the consent of the individual concerned. That is a major problem.

Even though this bill is called the digital privacy act, it contains a provision that could really interfere with the protection of privacy. I find that deeply contradictory.

Once again, this Conservative government has proven that it spends more time coming up with grandiose titles than working on content. It is also extremely important to point out that between the drafting of this bill and today's debate, the Supreme Court ruled that information such as the data that Internet service providers have on users and clients—IP addresses, email addresses, names, telephone numbers, and so on—is considered personal information and cannot be obtained without a warrant. I am not the one saying that. It was a Supreme Court ruling.

I have some serious concerns about the constitutionality of this provision. The government must comply with the Supreme Court's ruling and remove all the provisions enabling the disclosure of personal information without a warrant.

During the study in committee, a number of witnesses expressed concerns about this very provision. For example, the Privacy Commissioner said the following in a submission:

Allowing such disclosures to prevent potential fraud may open the door to widespread disclosures and routine sharing of personal information among organizations on the grounds that this information might be useful to prevent future fraud.

We want to protect privacy, but it is questionable to allow access to personal information without a warrant, without consent, without any kind of judicial oversight and without transparency. The Conservatives have a poor record when it comes to protecting privacy, and Bill S-4 will not erase the past.

In one year alone, government agencies secretly made at least 1.2 million requests to telecommunications companies for personal information, without a warrant or proper oversight. Why did they ask for this information? We do not know.

The government should have taken advantage of Bill S-4 to close the loopholes in PIPEDA that allow this kind of information transfer without legal oversight, consent or transparency.

There is another provision in the bill that made my jaw drop. This bill would require companies to declare a data loss or breach if and only if it is reasonable to believe that the breach creates a real risk of harm. In other words, it is up to the company itself to determine whether or not it should notify the authorities in the event of data loss. That is crazy.

This measure will actually give companies less incentive to report data breaches by leaving it up to the company whose data were breached to decide whether the breach creates a real risk of significant harm to an individual.

This blatant conflict of interest is what really kills the purpose of this bill because a company will see no benefit to reporting a data breach and every benefit to hiding it. Deciding that a breach is benign will save the company money, damage to its reputation and inconvenience

It will also help the company avoid being put under the microscope by the Office of the Privacy Commissioner of Canada for an audit or investigation. It will create a culture of non-reporting because the commissioner would be nothing more than an observer.

In conclusion, the Conservatives say that their bill is balanced, but we can do much better. We are increasingly aware of the harm that data breaches can cause, so we cannot create a bill that will barely be useful.

We need a bill that will do an excellent job of giving Canadians better protection from data breaches. This bill has not been looked at carefully enough, and we need to fix it. Canadians deserve better.

Mr. Speaker, I thank my colleague for her speech.

I completely understand why my colleague was so shocked when she saw the provisions allowing companies that disclose personal information to manage and discipline themselves.

It is quite surprising that, ultimately, the Conservatives are refusing to be guided by the most informed, most qualified experts on the matter. One example is Daniel Therrien, the Privacy Commissioner.

With Bill C-51, once again, the Conservatives tried to take evasive action by not inviting the commissioner. However, in the case of the committee work on this bill, the commissioner was able to have his say.

Can my colleague comment on the fact that the very reasonable amendments brought forward by the NDP, which were inspired by the commissioner's comments, were flat out refused by the government, without any discussion?

Mr. Speaker, I thank my colleague from Beauport—Limoilou for his very relevant question.

As I said, since we have been here, since the beginning of the 41st Parliament, we have learned that this government prefers self-regulation. We have seen this in many areas, including rail safety, drug reporting—until we forced the government's hand—and personal information. Some 18 amendments were brought forward at committee. The commissioner also suggested that the bill be amended to reflect the Supreme Court ruling.

However, we know that privacy is a thorny issue and not a priority for the Conservatives. What, then, is their priority: getting personal information without authorization or income splitting?

Mr. Speaker, why is my hon. colleague across the way opposed to the position of the Privacy Commissioner? The Privacy Commissioner came to committee. The fact is that almost every witness agreed. Some did not agree with Bill S-4, and as we have heard, there were diverse opinions. However, the vast majority supported the changes that Bill S-4 presented, and the Privacy Commissioner was part of those.

Why does the NDP ideology get in the way of recommendations from the committee and the Privacy Commissioner?

Mr. Speaker, I would like to respond to my colleague across the way with some facts and key figures.

In one year alone, the Conservatives made 1.2 million requests to telecommunications companies for Canadians' personal information. What is more, 70% of Canadians feel less protected than they did 10 years ago. That came from a 2013 survey of Canadians on privacy protection.

Some 97% of Canadians would like organizations to notify them in the event of a breach of security of their personal information. It has been proven that there is a directive that is not clear. It surprises me that there is no authorization, no consent, no judicial oversight.

Mr. Speaker, I am pleased to speak to Bill S-4, the digital privacy act, which was recently reviewed by the Standing Committee on Industry, Science and Technology.

Bill S-4 introduces a number of important improvements to the Personal Information Protection and Electronic Documents Act that will increase the level of privacy protection for Canadians.

PIPEDA is privacy legislation that has been in place for more than a decade now. Under the law, organizations are expected to apply stronger protection in situations that are privacy-sensitive. As an overriding rule, businesses must limit what they do when it comes to the collection, use, and disclosure of personal information to activities that one would consider reasonable and appropriate in the circumstances.

Not all individuals have the same capacity to understand what is reasonable and appropriate, nor can they necessarily appreciate the immediate or long-term consequences of providing information about themselves to a commercial enterprise. This is particularly true of minors. The range of online activities today's kids engage in is astounding. They take part in multi-player games with people from all over the world. They explore virtual worlds. They join chat rooms and post comments, photos, and videos about themselves and their friends.

Today's kids have grown up with the Internet and digital technologies. Social networks, gaming consoles, and smart phones have always been a part of their lives. When kids interact with their friends and when they play games, more often than not it is through technology.

According to a survey conducted in 2013, more than 30% of grades 4 to 6 students have Facebook accounts. By grade 11, 95% of students have such an account.

Digital technology offers tremendous benefits to children's education, development, and social lives. In today's digital economy, children must be able to safety and securely use network technologies and access the online world if they are to develop the skills they will later need to find jobs in the digital marketplace.

What children may not be aware of is that the information they share in the context of online play or learning can actually have unintended consequences. Online personal information has become an enormous source of revenue for companies. Kids are able to play online games, download and use apps, and talk to their friends at no cost because companies offering these services generate revenue by harvesting and using personal information for profiling and marketing purposes.

This government does not wish to prevent today's youth from fully realizing the benefits of the digital world. The skills they develop through these many online activities will provide them with significant advantages when they enter the job market as young adults. This government fundamentally believes that digital literacy and skills are at the core of what is needed for individuals to succeed in today's digital economy.

However, with an increased online presence comes added risk. Strong protections for children's online privacy are needed.

PIPEDA already contains defences that safeguard the personal information of minors. For example, the act prohibits organizations from using deceptive means to obtain consent. Most importantly, it requires companies to limit the purposes for which they collect, use, or disclose personal information to reasons that individuals would consider reasonable and appropriate in the circumstances.

Bill S-4 enhances these protections by clearly setting out requirements that organizations must meet when obtaining consent. These new provisions will have a positive impact, especially when it comes to the protection and the privacy of children.

The new measure will require organizations to clearly explain why they are collecting information, what they will do with it once they have it, and what the consequences of providing it will be.

What is more, they must provide this explanation in a way that can be understood by the audience they are targeting with their product or service. This means that any business targeting children must pay very close attention.

The amendments in Bill S-4 mean from a legal perspective that when a company is seeking permission to collect, use, or disclose personal information from a group of individuals such as children, it must take steps to ensure that these individuals are able to fully understand what would happen to that information.

In practice, this would mean that the organization's request for information can be easily understood by the target audience. This includes making sure that the wording and language used in the request are age-appropriate. For example, a video game designed and marketed to preteens would clearly need to take a different approach to obtaining the consent of players to collect personal information than a video game marketed to adults.

We heard from a number of witnesses during the committee's consideration of the bill, and the majority were supportive of our government's proposed amendments in Bill S-4 to enhance consent.

The Privacy Commissioner of Canada repeatedly expressed his support for the amendment. This is what the Privacy Commissioner told the committee:

Consent is a big part of PIPEDA, and I think it's useful to have this clarification of what actually is consent. We obviously know that it is a huge challenge for organizations to properly advise individuals of the reasons they collect information and they use it, so any tool that enhances, that provides an incentive for organizations to be clearer, and to take into account the context of the individual or consumer I think helps Canadians.

The commissioner further emphasized:

So, when the individual is a child, if your product is addressed to children, you should think about what is reasonable to expect of a child in understanding the consent being sought. Overall, I think, again, the definition of consent in Bill S-4 will assist generally and will assist particularly groups that are more vulnerable, like children.

Privacy information must be clear to the user. The privacy policy should be specific to whatever service the child is using and not be a one-fits-all privacy policy.

The standing committee also heard support for this amendment from a number of other witnesses, including from business. For example, the Marketing Research Intelligence Association, a national self-regulatory body that represents Canada's survey research industry, wrote in a submission to the committee that it fully supports the enhanced consent requirements of the bill.

The association noted in particular that the amendment provides “added clarity for organizations when they seek the valid consent of an individual” when collecting, sharing, and disclosing their personal information. It went on to say:

We believe that specifying the elements of valid consent will go a long way to protecting the most vulnerable Canadians, such as seniors and children.

Our government has already taken significant action when it comes to protecting children online. We have made important progress to shield our children from online intimidation, cyberbullying, and other similar threats and abuse through amendments to the Criminal Code of Canada that were passed under the Protecting Canadians from Online Crime Act.

The amendments put forward under the digital privacy act build on those actions taken to address cyberbullying and represent additional real and tangible measures to protect Canadians and their families from online threats.

PIPEDA has been in force since 2001. Concerns about the protection of children's online privacy were raised with Parliament in 2007 during the first statutory review of this act. There was general consensus among witnesses that children warrant extra privacy protection, given their particular vulnerability to deceptive and privacy-invasive practices. Indeed, at the conclusion of its review of the act, Parliament recommended that the government examine the issue of consent by minors to determine if PIPEDA should be amended.

Our government heard stakeholder concerns and is responding to the recommendations of committee by introducing enhanced protection for the privacy of minors that is now before the House. This is an important amendment, and along with all other measures in this bill, it should be passed quickly.

The digital privacy act takes real and tangible steps to protect society's most vulnerable individuals. I hope hon. members will join me in supporting this bill so that these new protections can come into force quickly.

Mr. Speaker, I listened carefully to the speech by the hon. member, who, if I am not mistaken, is also a member of the Standing Committee on Industry, Science and Technology.

The government seems to be in a hurry to move forward with this bill. However, we still have some concerns about privacy protection. The Privacy Commissioner raised those concerns.

Can the hon. member elaborate on how this bill will really protect the privacy and communications of Canadians who communicate honestly and in good faith? Does this bill contain measures that will really protect Canadians' privacy?

Mr. Speaker, the committee heard many witnesses. They provided views and testimony from both sides of the spectrum.

It is important to note, as per my colleague's question, that the digital privacy act would require organizations to tell Canadians if their personal information has been lost or stolen. As well, heavy fines of up to $100,000 would be imposed on companies that deliberately break the rules. The legislation would place strict limits on the type of personal information companies can disclose; establish new rules to protect the privacy of vulnerable Canadians, particularly children, as I just discussed; provide provisions to protect seniors from financial abuse, something we have spoken about extensively this afternoon; include measures to allow the use of information to help find missing children; and give the Privacy Commissioner of Canada more power to enforce the law and help hold offenders to account.

Bill S-4 meets those objectives more than adequately.

Mr. Speaker, I am pleased today to speak to the very important Bill S-4. It concerns the sharing of personal information in the digital age. It deals mainly with the way in which we legislate against companies responsible for the loss or sharing of information. We know this is a very sensitive issue because we are in the digital age where more and more personal information is found online. We think first of banking information, and also of information that sometimes seems not that important, but that is nevertheless part of peoples' private lives. It is information that we share on social networks, such as photos.

This covers all kinds of of complex issues, such as copyright, that we have addressed in the House since the last election, and the dissemination of information pertaining to national security. We had an important debate on this issue during the debate on Bill C-51. We learned that information technology companies, or startups, had concerns about some of the bill's provisions.

Of course, we are all familiar with the infamous story of Bill C-30, where the minister of public safety and emergency preparedness at the time told us that we stood either with the government or with child pornographers. This example shows just how big an issue we are dealing with and the Conservatives' poor record in this regard.

First, I would like to mention something very important and very simple: the obligation to review the privacy legislation every five years. Obviously, this is very important given how quickly technology changes. Unfortunately, such a review has not been implemented. A number of bills were introduced in this regard, but they died on the order paper when the Prime Minister prorogued Parliament. There was, of course, Bill C-30, which is a whole other story, and there was also the bill introduced by my colleague from Terrebonne—Blainville. That bill, which the government refused to support, sought to implement a robust privacy review process, give more power to the Privacy Commissioner and have clearer legislative provisions.

Bill S-4 includes similar provisions. However, they do not go far enough and there are still worrisome loopholes. One of the grey areas that I am particularly concerned about has to do with organizations, such as banks, that could share private information. These organizations are required to report a loss of personal information to the Privacy Commissioner only “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”. That may seem clear, but when it comes to legislative measures, we can see that there is a lot of leeway in how this provision of the bill is worded. The company could decide that no one's privacy was really violated and that there was no risk of harm to the individual and simply not report the privacy breach.

One of the flaws in this bill is the requirement for a court warrant, which my colleague from Terrebonne—Blainville brought up earlier and which she included in her bill. The Supreme Court recently ruled that any invasion of privacy by the government and any request that the government makes to a private company that is in possession of our information require a mandate. There is no such requirement in this bill, which is extremely worrisome. That is why I made the link earlier to Bill C-51 and the debate on Bill C-30, which did not end up taking place because we managed to get the government to back down. The government seems to be on the wrong track and does not seem to take privacy seriously.

Its record is a great example of that. How many times does the House need to hear criticisms about mismanagement at the Canada Revenue Agency, for example, during question period or at every possible opportunity, whether it is when bills are introduced and petitions are presented or at press conferences?

This department is in possession of the most sensitive information on Canadians, such as their social insurance numbers and their tax information. The department has been the victim of data breaches, and the government does not seem to be taking any responsibility. That makes it hard for us to trust that the government will require private companies to comply with high privacy standards when it is not capable of doing so itself. This situation is extremely worrisome.

We know that this is a complex issue because more and more things are done online. As far as matters of national security are concerned, we know that as legislators we have work to do. We wanted to propose amendments to ensure that this bill went further and complied with the Supreme Court decision. Like a number of witnesses in committee, we question the constitutionality of this bill in its current form.

If I am not mistaken, the 18 amendments the NDP proposed were all rejected. True to form, the Conservatives did not listen to any of the testimony or pay any regard to the amendments proposed by all the parties. The amendments proposed by the NDP were all based on what the public had to say and on the very hard work of my colleague from Terrebonne—Blainville, who was trying to get suitable provisions for 2015, not 2000. Technology changes and so does our reality, and we have to adjust accordingly.

In this context, there are a number of troubling aspects. First, this bill was introduced in the Senate, which, naturally, we criticize every chance we get. The Minister of Industry made an announcement about how he wants to proceed in the digital age, but instead of introducing this bill in the House himself, he introduced it in the Senate. That is one problem.

The second problem is that the Conservatives wanted to skip second reading and send the bill straight to committee. That is not a bad idea in and of itself. The NDP has asked for the same in order to study certain extremely complex files.

For example, we asked to take this approach for Bill C-23, which we called the “electoral deform” bill. Since the government wanted to go straight to committee, we thought it was willing to accept amendments and listen to witnesses, but that did not happen.

The third problem concerns another of the government's bad habits: the honour of the 97th time allocation motion was bestowed on Bill S-4 in order to limit debate. Unfortunately, at this rate, the Conservatives will have moved 100 such motions by the time the election is held. To be blunt, that is pretty shabby.

Although it is important to protect Canadians' privacy and to do what it takes, in 2015, to implement an approach appropriate for the digital age, recent Supreme Court decisions have cast doubt on the constitutionality of this bill.

This bill does not go far enough, and since the government wants to limit debate and does not accept the amendments and the work done in committee, we cannot and will not support this bill. I am very pleased to rise in the House to say that.