Bill S-4 (Historical)

Mr. Speaker, unfortunately we will oppose Bill S-4 for the reasons I will provide in my speech.

What I am especially disappointed about is that we all voted in good faith for this bill to be studied in committee before second reading. We told ourselves that we could perhaps work together to improve the bill and eliminate the most problematic parts or ensure that it would truly protect Canadians in the digital age. Unfortunately, that did not happen, even though we know that there are more and more risks associated with protecting personal information online.

For more than four years, we have been in Parliament with the same government that rejects all our motions and refuses to work with us in committee. This time, I do not know why, but I had hoped that we could work together.

Usually, a bill is sent to committee before second reading because there are problems with the bill and we want to make changes. Perhaps we want to change something or make changes to PIPEDA that go beyond the immediate scope of the bill. We had hoped to work together. Unfortunately, that did not happen.

That is why I moved three motions today to remove the most problematic sections from this bill. These motions will be voted on together.

We heard over and over that these two sections—clauses 6 and 7—are extremely problematic. These clauses will make it easier to share people's personal information without their consent and without them even knowing that their personal information is being shared. The government is trying to broaden the scope of situations in which information can be shared without consent. That is extremely problematic.

Obviously, there are sometimes extreme circumstances that require personal information to be shared. Such situations exist. Everyone knows that. We take issue with the fact that there is no transparency. There is no mechanism in place to ensure that this information is shared only in exceptional and urgent circumstances. What is more, the threshold of reasonable suspicion is very low.

As a result, we voted against these clauses when the bill was examined in committee. Unfortunately, the Conservatives decided to go ahead with them anyway.

We even proposed amendments to improve these clauses by restricting the kind of situations in which information sharing can happen and creating a system that encourages transparency. There has to be an accountability or oversight mechanism to ensure that this information sharing only happens under exceptional circumstances. That is really not the case.

As I said, we proposed amendments to improve the bill because everyone in the House of Commons knows that protection of personal information is a big issue right now, one that is really important to our constituents.

I even give computer security courses to seniors in my community because they want to understand how to use new technology and they want to have a certain level of confidence when it comes to protecting their information and their identity.

Everyone agrees that this is an important issue and that we have to update PIPEDA to ensure that it can better address the threats present in the digital age in the 21st century.

Unfortunately, the Conservatives' approach was to put something on the table and refuse to accept any amendments or listen to what the witnesses had to say. They just forged ahead.

All of the parties proposed amendments, except for the Conservatives, of course, and all of the amendments were rejected. The NDP even proposed 18 separate amendments that were all rejected.

Most of all, I deplore the fact that from the beginning of the committee's examination of this bill before second reading, the Conservatives said they did not want to change anything. Why should we bother voting to send something to committee before second reading if, from the beginning, the Conservatives have already decided that they will not change anything? It makes no sense. It also demonstrates bad faith. We are supposed to examine bills with an open mind and a desire to improve them, correct their shortcomings and work together. That is what it means to live in a democracy.

The Conservatives even insulted some of the witnesses during the study in committee, telling them that they could choose to either vote for the bill in its current form or accept that there would be no changes to the Personal Information Protection and Electronic Documents Act before the next election. I understand we are having an election soon, but the Conservatives had plenty of opportunities to modernize the Personal Information Protection and Electronic Documents Act. There was Bill C-12, which simply disappeared because of prorogation. The bill that I introduced in the House contained very similar provisions to the ones found in Bill S-4, but the Conservatives voted against my bill.

These changes could have already been in the legislation. Unfortunately, the government suddenly says the timeframe is too tight and the only thing we can do is pass the bill as is despite all its problems and flaws. The government simply wants to pass the bill as is. I think the Conservatives are being disingenuous about this. To tell all the witnesses that the choice is between this bill and nothing is really insulting to them after they took the time to travel here to share their opinions and present their proposed changes.

Since the government rejected all the amendments and we did not manage to improve the bill, the NDP will have to vote against it even though we recognize that some provisions are a step forward, although they do not go as far as they should. Nonetheless, I cannot vote in favour of a bill that will create more opportunities for personal information to be shared without consent, without authorization, without the individual concerned being informed, and without a proper oversight mechanism. That is what this bill would do.

Clauses six and seven, which my motions would eliminate, will weaken the protection of privacy by allowing the sharing of personal information without the consent and authorization of the individual concerned. I already stated that the threshold was very low. I proposed raising the threshold so that the organization asks questions before sharing this information. The Conservatives refused. The Privacy Commissioner even raised concerns about this provision. He said that it could open the door to abuses, and that is what we found. This government made 1.2 million requests to Internet service providers to obtain personal information as a result of flaws in the Personal Information Protection and Electronic Documents Act. There have been actual abuses. As members of Parliament, we cannot consciously open the door to further abuses. However, that is exactly what clauses six and seven of this bill do.

I will now read what the Privacy Commissioner said at the February 17, 2015, meeting of the Standing Committee on Industry, Science and Technology:

Under the proposed amendments, potentially any organization will be able to collect or disclose personal information for a broad range of purposes without any mechanism to identify which organizations are collecting or disclosing the information and why.

This is very problematic because according to its title, this bill is supposed to create the digital privacy act. I am sorry, but there is a problem when parts of the bill contradict its objective. You do not have to be a genius to understand that.

I would like to share a quote from Michael Geist, who also testified at the Standing Committee on Industry, Science and Technology on March 10, 2015:

...the broad provision that we have here opening the door to massive expansion of non-notified voluntary disclosure without any of the kinds of limitations that we typically find even the courts asking for should be removed....With respect, it is both not well studied and ought to be fixed. Canadians deserve better.

He also took the opportunity to disagree with the process that the Conservatives put in place and the idea that we should pass this bill without amendment because we are out of time.

The warning mechanism for a data security breach proposed in the current bill is another problem. Many parliamentarians understand the need for such a mechanism. This was brought up in the committee on which I sit, the Standing Committee on Access to Information, Privacy and Ethics, while we were studying this bill.

As the Privacy Commissioner has said many times, we must require that organizations notify individuals when their data are compromised. In a number of cases, as with Target and Home Depot, the data of thousands of people have been compromised or lost completely. Since the people in question are not always informed, they are not in a position to protect the compromised data. That is a huge problem.

Bill S-4 fixes this problem but does not really go about it in the right way. The proposed model is much too subjective because it allows the organizations themselves to determine whether a data breach creates a real risk of significant harm to an individual. The organizations therefore have to police themselves. They also decide for themselves whether to inform, or not, the Privacy Commissioner and the individual affected of any data breaches that occur.

The model that I am proposing is more objective. I proposed it before when we were examining this bill in committee and when we were examining my private member's bill, Bill C-475, which could have been passed already had the Conservatives not voted against it. This model would give the Privacy Commissioner the power to determine whether a security breach is serious enough to inform the individual. Thus, it would not be up to the organizations to do it.

What is more, PIPEDA covers all organizations, from convenience stores to large digital technology corporations. Some organizations, such as convenience stores that have only a couple of employees, are unable to determine how serious a data breach is. It is therefore important to allow them to turn to an expert, namely the Privacy Commissioner.

I would like to read a quote from John Lawford, the executive director and general counsel for the Public Interest Advocacy Centre, who testified before the Standing Committee on Industry, Science and Technology on February 19, 2015. He said:

Unfortunately, Bill S-4, as written, will very likely result in fewer reported breaches than even now and operate in an opposite manner. Namely, it will create a culture of fear, recrimination, and non-reporting. Bill S-4, incentivizes not reporting data breaches by leaving the determination of whether a breach creates a real risk of significant harm to an individual totally in the hands of the organization that suffers the breach. This obvious conflict of interest is fatal to the purpose of the bill as there is no advantage to a company to report and every advantage to hide a data breach.

As he said, the proposed mechanism is much too subjective. It is unfortunate that the Conservatives refused to implement a more objective system.

This bill does not give the Privacy Commissioner the power to issue orders. The former privacy commissioner, Jennifer Stoddart, asked for that repeatedly. Provincial privacy commissioners also wanted it because they have that power.

All too often, organizations do not act on recommendations made following an investigation by the Privacy Commissioner. Big international companies do not think they need to comply because it is just Canada, but Canada's laws must be respected. When our laws and the Privacy Commissioner's recommendations are constantly ignored, we need to fix that problem.

We could give the Privacy Commissioner the power to issue orders, but there is nothing about that in the bill. Instead, it calls for compliance agreements, which do not go far enough and do not really motivate organizations to act on the recommendations because they are not orders. We wanted to fix this problem, but once again our proposal was rejected.

I would have liked them to adopt the model I proposed in Bill C-475. I suggested following the usual investigation procedures, after which the commissioner would issue orders and set a deadline for compliance. The parties would act in good faith. For example, if problems were not resolved within a year, the Federal Court would impose a fine.

This system would give organizations that comply with the law and the recommendations a chance, with no repercussions whatsoever. However, if we do not find a solution and do not encourage organizations to respect privacy, there will continue to be abuse, and the law and the Privacy Commissioner's recommendations will continue to be ignored.

Bill S-4 is a step in the right direction, but it does not go far enough. That is what I said throughout the entire study. As a matter of fact, some witnesses also said it was important to have a system that truly encourages privacy protection.

What is more, given that we studied this bill in committee before second reading, we had the opportunity to correct other problems with the Personal Information Protection and Electronic Documents Act, because we knew there were some flaws. Under what circumstances is it acceptable for the government to submit at least 1.2 million requests a year for personal information to Internet service providers? This is a serious problem, but nothing is being done about it.

I thought we could sit down as parliamentarians and come up with ways to put oversight and transparency mechanisms in place and even get rid of these flaws and abuses. This was a missed opportunity.

Recently, the Supreme Court established in Spencer what was reasonable and not with regard to privacy protection. Unfortunately, that ruling was not taken into consideration during the study in committee. The Personal Information Protection and Electronic Documents Act was not amended in order to make it consistent with the Supreme Court ruling. That needs to be done. The government needs to show some vision and correct these flaws to provide better protection of Canadians' privacy because that is what Canadians deserve.

There are five motions in amendment sitting on the notice paper for the report stage of Bill S-4. Motions Nos. 1 to 5 will be grouped for debate and voted upon according to the voting pattern available at the table.

Mr. Speaker, I agree with the hon. member so far as his first statement is concerned, that this has been a good week for Canadians.

It has been, because today the House of Commons voted on a ways and means motion and introduced a budget bill that would reduce the small business tax rate from 9% to 7%, although the NDP voted against that this morning, and it brought in a family tax cut to bring fairness to families, except the NDP and the Liberals voted against that.

We also introduced, of course, expanded flexibility for seniors on their RRIFs and increased room for all Canadians on tax-free savings accounts. Unfortunately, the Liberals and NDP voted against it, but that does not matter, because we delivered, and Canadians will get to enjoy the benefits of that because of the vote we had today in this House.

It has indeed been a good week for all Canadians, certainly those who care about and want lower taxes.

After this statement, we will debate Bill C-52, the Safe and Accountable Rail Act, at report stage and third reading. This bill strengthens Canada’s rail safety system, and I understand that all parties are interested in seeing this bill move forward quickly.

As I announced in the House yesterday, tomorrow shall be the third allotted day. Monday will be the fourth allotted day. Additionally, I am designating Monday as the day, pursuant to Standing Order 66(2), when we will conclude the debate on the eighth report of the Standing Committee on Finance.

On Tuesday morning, we will continue the debate on Bill C-52.

After question period today, we will consider Bill S-4, the digital privacy act, at report stage and second reading. This legislation would provide new protections for Canadians when they surf the web and shop online. These changes to protect Canadians' personal information are key elements of Digital Canada 150, our government's plan for Canada's digital future.

Starting on Wednesday, and for the remainder of next week, we will debate Bill C-59, economic action plan 2015 act, No. 1, which was introduced earlier today, as I already referenced.

This critical economic legislation would reduce taxes, including many of those I already spoke about, and deliver benefits to every Canadian family through the family tax cut; our enhancements to the universal child care benefit; encouraging savings with enhanced tax-free savings accounts; lowering the tax rates for small businesses; introducing the home accessibility tax credit, a very important improvement for seniors to help them stay in their homes for longer; and expanding compassionate leave provisions; and the list goes on and on.

As the hon. member said, it has been a very good week for Canadians, even though he opposes all of those measures.

Regrettably, the Liberal leader, earlier this week, announced that he would raise taxes for middle-class Canadians by replacing that very same family tax cut with a family tax hike, and despite this Liberal tax, the Liberal leader is discovering that budgets do not balance themselves. He has a $2 billion hole in his plan. Canada cannot afford that kind of reckless, high-tax, deficit-building approach.

In voting against our tax cuts for families set out in the ways and means motion the House adopted—

Mr. Speaker, I thank the hon. opposition House leader for his question.

This afternoon we will continue debating economic action plan 2015, our Conservative government's balanced budget, low-tax plan for jobs, growth and security.

He was referring to it and its impact on future generations, and that is where this budget is perhaps at its best, because it delivers long-term prosperity.

With the tax-free savings account, it will provide benefit for generations to come. It helps families save for their children's university education. We have put an additional element in the budget to allow greater flexibility with student loans with calculation of income.

In fact, it is future generations who stand to benefit the most. The most important element from which they benefit, something they would never see under an NDP government, is a balanced budget. That means they will not be paying the freight for generations that came before them for high-spending debt plans that we see from the opposition parties. That is the most important long-term benefit for future generations, so we are very proud of the budget in this regard. Of course, we have been hearing from my colleagues this week that it is a prudent and principled plan that will see Canadians more prosperous, more secure, and everyone confident in Canada's place in the world for some time to come.

While we are focused on creating jobs and putting money back in the pockets of hard-working Canadians, the opposition parties have both confirmed that they want to see higher spending and higher taxes on middle-class families, high taxes on middle-class seniors, high taxes on middle-class consumers. In fact, any tax they can raise, they will probably take a shot at it when they get the chance.

The budget debate will continue on Tuesday and Wednesday of next week.

While I am talking about the budget, I cannot help but note that, when pressed Tuesday night for some detailed insight into the Liberals' economic vision for Canada—something we have been waiting for since the hon. member for Papineau became the Liberal leader two years ago—that member told reporters that he would keep it secret from Canadians for yet more weeks—or months—to come.

I am going to give him an opportunity next week to be courageous and share an actual proposal with Canadians—something beyond the view that budgets balance themselves. Therefore, Monday shall be the second allotted day.

Meanwhile, we will start the report stage debate on Bill C-51, the Anti-terrorism Act, 2015, tomorrow. Through this legislation, the government is taking additional action, in line with measures taken by our allies, to ensure our law enforcement and national security agencies can counter those who advocate terrorism, prevent terrorist travel and the efforts of those who seek to use Canada as a recruiting ground, and disrupt planned attacks on Canadian soil.

Next Thursday, after we have concluded the budget debate, we will consider report stage and second reading of Bill S-4, the digital privacy act. This legislation aims to protect better and empower consumers, clarify and streamline rules for business, and enable effective investigations by law enforcement and security agencies.

In anticipation that Bill C-46, the pipeline safety act, will be reported back from committee soon, we will start report stage, and hopefully third reading, after question period that day.

We will round out next week with the debate on Bill C-50, the citizen voting act, at second reading, on Friday.

Mr. Speaker, I have the honour to present, in both official languages, the sixth report of the Standing Committee on Industry, Science and Technology in relation to Bill S-4, an act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another act. The committee has studied the bill and has decided to report the bill back to the House without amendment.

This amendment reverts back to the proposed language for notifying the Privacy Commissioner about security breaches, which is found in the previous PIPEDA reform bills C-12 and C-29, but it is stronger and clearer. Why? It creates a mandatory security breach disclosure requirement at the federal level, and that is long overdue. Geist at the Senate said that Bill S-4 establishes the same standard of “a real risk of significant harm” for both notifying the commissioner and the individuals, but also said this is very puzzling. It means that there is no notification for systemic security problems within an organization. This is very likely to result in significant under-reporting of breaches. Our amendment creates incentives for organizations to better protect that information and allows Canadians to take action to avoid risks including identity theft.

Thank you, Mr. Chair.

In testimony on Bill S-4 we heard a lot of different opinions on the implementation of a notice mechanism for data breaches. This is a contentious point. In fact I examined this at length when drafting my bill. I am referring here to Bill C-475 which was unfortunately defeated because of the Conservative Party.

Through this amendment, I want to propose a more objective threshold. Indeed, I would like the Privacy Commissioner of Canada to be responsible for assessing the prejudice the person whose data has been lost, breached, and so on could suffer.

This legislation does not only apply to large businesses, but also to small ones. However, small enterprises do not necessarily have the necessary means to determine if the data breach is serious. These businesses could turn to the Privacy Commissioner of Canada. He knows these issues and is in a position to determine whether the data breach justifies notifying the person.

Moreover, this amendment would allow the Privacy Commissioner of Canada to order organizations to inform the persons concerned. This would also force organizations to notify people and would give the commissioner a little more power. Indeed, he could ensure that the privacy of individuals dealing with the organizations is respected.

I think this threshold is more objective, that it would afford better privacy protection, and that it would reduce the burden on small businesses.

Thank you.