Bill S-4 (Historical)

Mr. Speaker, parliamentarians are concerned about how personal information is handled, and what I read in the testimony in no way reflects the opinion that the hon. member just expressed.

We demand that the government withdraw the provisions in the bill that allow companies to share information on subscribers without a warrant and without their knowledge or consent because the constitutional validity of those provisions is dubious and they are a threat to Canadians' rights and privacy protection. That is what we want.

Mr. Speaker, I thank my colleague for his speech.

I would like him to comment further on the government's attitude toward the opposition's ideas given that the government rejected all of the amendments the opposition put forward.

We warned the government of the dangers inherent in various bills studied by various committees over the past four years.

Can my colleague comment on the government's marked tendency to reject all ideas from parties other than its own and the threat such an attitude can pose to the constitutionality and effectiveness of the bills introduced and debated in the House?

Mr. Speaker, I thank the member for his question. I would like to commend him for the excellent work he is doing in his riding, as well as the member for Terrebonne—Blainville if I may, who also helped us understand this very complex, multi-faceted bill.

The Conservative government likes to provoke the opposition and the Supreme Court by always pushing the limits imposed by our institutions. The Conservatives always think they are right. They are blinded by their ideology, which also makes them immune to any arguments presented by experts in various domains.

It is no coincidence that the Conservatives have made huge cuts to the sciences since 2011. They do not like to hear the opinions of experts; they would rather hear an opinion that lines up with their ideology.

However, it does not always work that way in the real world, which is fortunate, because we have institutions that are stronger than the Conservative Party of Canada.

Mr. Speaker, I am pleased to have the opportunity to speak to Bill S-4, the digital privacy act. The bill would make significant improvements to Canada's private sector privacy legislation, the Personal Information Protection and Electronic Documents Act, or PIPEDA.

One aspect of the digital privacy act that has not received a lot of attention is how the bill would help reduce red tape for businesses. Reducing red tape for Canadian businesses saves money and helps encourage greater investment in our economy. I would like to focus my comments today on these important changes.

We must always bear in mind that strong privacy legislation is not just good for everyday Canadians; it is also good for businesses. In our rapidly evolving digital economy, personal information is becoming increasingly valuable, creating tremendous new opportunities for businesses to innovate and develop new products and services.

Canadians will not provide their private information to businesses if they do not trust that it will be protected. At the same time, if the rules are too cumbersome and complex for businesses to manage and show no clear benefit to consumer privacy, then companies will struggle to implement them. It is for these reasons that the digital privacy act proposes a number of common sense changes to help businesses protect privacy in a way that does not hinder their ability to conduct business.

All of these changes make sense. They were all identified by the Standing Committee on Access to Information, Privacy and Ethics when it conducted the first statutory review of PIPEDA back in 2006. Businesses have been waiting a long time for these changes, and it is important that we move now to implement them. I would like to briefly touch on each of these important changes.

The first changes are in relation to business transactions. Currently, if a company wants to examine personal information as part of its due diligence—for example, if a business is thinking of buying a magazine and would like to look at the list of current subscribers—it first needs to obtain the consent of each individual subscriber. This requirement not only presents a tremendous burden for the company but is also often impractical, given the confidential nature of most prospective business transactions.

Bill S-4 fixes this problem by creating an exception to the requirement for consent that would allow businesses to share information in this context. This must be done in such a way that the privacy interests of those involved are protected.

Under the digital privacy act, information could only be shared for the purpose of assessing the feasibility of the transaction. If the transaction did not proceed, the information would have to be destroyed or returned. If the transaction did proceed, then the individuals would have to be informed.

This amendment would implement a recommendation made by the standing committee during the first statutory review and is modelled after a similar exception that is currently in place in Alberta and British Columbia under their private sector privacy laws.

In addition, the amendment has widespread support among stakeholders. Ms. Éloise Gratton, a lawyer with the Borden Ladner Gervais law firm, appeared before the Standing Committee on Industry, Science and Technology. She said:

I offer my support to two important provisions in the bill: mandatory breach notification and business transaction exception.

The next important amendment I would like to highlight is the change to how business contact information is dealt with under PIPEDA. Currently, certain types of business contact information are not defined as personal information. Specifically, a person's business title, address, and telephone number are not considered personal information and are therefore not regulated.

As was pointed out during the first statutory review of PIPEDA, this would present an obvious problem: only a few bits and pieces of information are considered to be business contact information under PIPEDA. A person's work email address or fax number or their LinkedIn account or a business Twitter handle are all considered personal information.

The digital privacy act would correct this problem by creating a technology-neutral definition of “business contact information”. It would do this by being inclusive of all types of communication points of contact, such as social media applications like Twitter and LinkedIn. With this change, a sales manager would now be allowed to share an employee's work email address with a client without having to get permission first. This would create a better balance between protecting privacy and allowing information to flow in a digital economy. At the same time, the act would continue to protect business contact information if it is used outside of a business context.

Another important amendment in the digital privacy act would be the clarification around the rules for when someone's personal information is included in their work product. An example would be when a garage mechanic signs off on a vehicle's inspection or a work estimate. The fact that the mechanic signs off on the estimate would mean that it now contains his personal information.

Currently, under PIPEDA, a business must obtain an individual's consent to use or share any work product he or she creates if it contains the individual's personal information. Again, this seems like a rather silly and unnecessary bit of red tape. Bill S-4 would fix this problem by ensuring that businesses can use their employees' work without getting the employees' consent.

Finally, the digital privacy act would ensure that insurance companies can use witness statements when assessing or processing any insurance claim. Witness statements provided to the police or other investigating authorities may contain personal information. For example, if I were to witness someone running a red light that results in a car accident, my statement to the police would include personal information. Currently, under PIPEDA, an insurance company processing any claims for the accident would need to get the consent of anyone named in my witness statement in order to use it. Such a requirement would create the potential for someone who breaks the law to use privacy as a shield to avoid responsibility for his or her actions.

The digital privacy act would fix this problem with an amendment that would enable an organization to obtain a witness statement without having to obtain the consent of an individual whose personal information is contained within it. However, this experience would only apply when the information is necessary to assess, process or settle an insurance claim.

In addition to strengthening privacy protection in Canada through measures like mandatory data breach reporting and stronger enforcement powers for the Privacy Commissioner, which had been discussed extensively in this place, the digital privacy act would also make a number of important changes that would cut red tape for Canadian businesses.

I hope hon. members will join with me in supporting a balanced and carefully considered bill that would dramatically improve Canada's privacy law.

Mr. Speaker, the NDP is entirely supportive of the need to update our privacy laws, especially in the digital age, when we frequently share our private lives online. However, something about this bill really bothers me, which is why the NDP will not be supporting it.

Unfortunately, although the bill is called the digital privacy act, some of its measures actually work against privacy by opening the door to more sharing of personal information among organizations, on a voluntary basis, without the knowledge or consent of the individuals in question. The Privacy Commissioner even raised some concerns about this. This will really open the door to a lot of information sharing. Sometimes it will be for legitimate reasons, and sometimes not.

Why has the government not taken action in this regard? Why did it not include the amendments put forward by the Privacy Commissioner to ensure that this bill really does protect Canadians?

Mr. Speaker, I assure the member opposite that our government takes the privacy of Canadians very seriously. That is why we introduced the digital privacy act, which contains important new protections for Canadians. Based on the testimony heard at the industry, science and technology committee, our government believes that we have struck the right balance in this bill.

We take the privacy of Canadians seriously, and so do Canadians right across our great country. I want to share a quote from a well-known Canadian, the current Privacy Commissioner. He stated:

I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill.

Mr. Speaker, I thank my colleague for her speech.

I would like her to come back to why this bill is coming from the Senate. The question was asked earlier, but the government did not provide an answer.

Would the hon. member like to tell us why the government has decided, more than once, to have unelected senators introduce bills that in fact are government bills, and likely from the Minister of Industry?

Why did the Conservatives decide to send this bill to the Senate before elected members of the House could look at it? They could have simply introduced the bill here and let it follow the usual process, like most bills introduced by the government.

Mr. Speaker, I assure the House, and the member opposite must know as well, that this bill has to go through the two Houses regardless. Therefore, that is the path we chose. It will be well worth it to get it moving on, and well received by all Canadians because it is a very important change.

Mr. Speaker, the thing that bothers me about this whole process is that this bill was introduced in the Senate first, as the hon. member for Sherbrooke mentioned in his question, and then brought to the House.

We even adopted a motion to study the bill before second reading stage, which instilled confidence and was a sign of good faith. We thought we could amend this bill and make the necessary changes to ensure that it truly protects Canadians' personal information in the digital age.

However, the government kept saying we did not have enough time to amend the bill because it needed to be passed as quickly as possible.

I want to point out that this government introduced similar bills in the past and I myself introduced a bill on this topic that we could have passed and would already have become law. The Conservatives refused it all. They did nothing and now suddenly they are making this an urgent matter.

Why did they fail to do anything about this before it became an urgent matter?

Mr. Speaker, I assure the member opposite, and all members of the House, that our government is getting the job done, and that is why we are moving on.

Mr. Speaker, I am pleased to rise today to speak Bill S-4, the digital privacy act, which would significantly strengthen Canada's private sector privacy law.

In today's increasingly digital world, Canadians need to have confidence that their online transactions are secure and their privacy is protected. Unfortunately, data breaches, computer hacks, malware and other online threats are simply a reality of today's modern digital landscape. If Canadians do not trust that their private information is safe when it is in the hands of business, then they will not provide it. Without the free flow of information, our digital economy will stall. This is why strong, effective privacy laws that protect personal information are essential to building consumer trust and confidence. Canadian businesses need clear and balanced rules to follow so that their handling of personal information meets the expectations of Canadians.

The digital privacy act would provide important improvements to Canada's private sector privacy legislation, the Personal Information Protection and Electronic Documents Act, PIPEDA. Canadians want control over their personal information and our privacy laws give them exactly that. PIPEDA requires businesses to obtain a person's consent before collecting his or her personal information and ensures that this information is used only for the stated purposes. PIPEDA also gives Canadians control over which type of information is collected about them, how it is used and with whom it is shared. PIPEDA holds businesses accountable for the private information they hold, requiring them to keep it safe and out of the hands of hackers or thieves.

Further, the law gives Canadians the right to access their information at any time to make sure that it is accurate while also giving the Privacy Commissioner strong tools to enforce compliance. Privacy is a major concern for Canadians and they want to know that their personal information is secure. Businesses that can offer that security have a clear competitive advantage.

If I have a choice between a company that does not make protecting my personal information a priority versus one that tells me exactly what information it is collecting and how it is protecting it, I am going to choose the business that offers me the most protection. Businesses that are clear about what they are doing with personal information and have appropriate safeguards in place to protect that information will have an advantage in the marketplace.

Thankfully, limiting the collection, use and disclosure of personal information, having appropriate safeguards and being open about privacy practices are all part of the founding principles of PIPEDA. PIPEDA applies to all private sector organizations operating in Canada. It came into force on January 1, 2001, and its framework has stood the test of time. It is based on a set of 10 internationally recognized principles called the fair information principles. These principles give individuals control over their personal information and the way it is managed in the private sector. They establish strong privacy rights for Canadians and real obligations for companies.

By requiring businesses to protect personal information, PIPEDA is not only protecting the privacy rights of Canadians but is helping contribute to a vibrant Canadian economy. These founding fair information principles for PIPEDA mean that the act is flexible and scalable and allows data to move seamlessly across borders, all of which are good for Canadian businesses. PIPEDA is a flexible piece of legislation. It is technology neutral, which means that it evolves and will apply to new technologies in businesses as they emerge. It applies to all categories of businesses, not just one sector. It also lets companies find innovative new ways of protecting privacy because it is not overly prescriptive.

As I said, PIPEDA is also scalable. It applies to organizations of all sizes in Canada. Whether a small business or a large multinational corporation is doing business in Canada, it is governed by PIPEDA. Having a foundation based on these internationally recognized principles, being flexible and scalable, all contribute to PIPEDA reducing unnecessary red tape for businesses while also maintaining and protecting the privacy rights of Canadians. This puts Canada at a strategic advantage globally.

PIPEDA's balance between these two approaches allows Canadian businesses to be competitive in different markets around the world. By not being overly burdensome, PIPEDA allows Canadian businesses to adapt to new technologies as they emerge, thus allowing them the opportunity to compete with international markets and increase their revenues. At the same time, because PIPEDA is not overly lenient, Canadians can feel secure that their personal information will be protected in their dealings with businesses in Canada. It is clear that privacy is important for businesses and our economy.

Clearly, PIPEDA supports business activities, while protecting the personal information of consumers. Bill S-4 takes Canada's privacy protection a step further and clarifies rules for businesses.

Our government recognizes that companies need to have access to and use personal information to conduct business activities. That is why Bill S-4 provides a clear set of guidelines for businesses when it comes to the collection, use and disclosure of the personal information of Canadians in the course of commercial activities. These activities can include undertaking a merger or acquisition, processing an insurance claim or simply share an employee's email address and fax number with another company.

Bill S-4 would maintain PIPEDA's balanced approach and would provide important clarifications for businesses to conduct themselves with confidence, while at the same time offering consumers the assurances they need that their information is being protected.

The digital privacy act would also provide for oversight and accountability to ensure that when safeguards failed, individuals would told about it and could take the appropriate measures to protect themselves.

The balanced approach found in PIPEDA and continued in Bill S-4 is an important element in establishing a growing trust and confidence in today's digital economy. Once again, it is that consumer trust and confidence that will help businesses and the economy to flourish. It is that trust and confidence that will help us to continue to build a digital Canada.

Thanks to PIPEDA and the improvements proposed in Bill S-4, Canadians can be confident that their privacy is being protected when they provide their personal information to businesses.

The digital privacy act proposes common sense changes that will reduce red tape for businesses, while also maintaining and protecting the privacy of Canadians. A clear set of rules for privacy protection allows businesses to focus on providing exceptional service to their clients, while simultaneously offering them an advantage in today's increasingly competitive worldwide marketplace.

I want to take this opportunity to urge all hon. members to join me in supporting the bill.

Mr. Speaker, this bill establishes a mechanism to be used by organizations to report data breaches, data thefts, and so forth, which is very important. I called for such a mechanism in the House and proposed one in my Bill C-475.

However, the model proposed by the government in this bill is extremely subjective. The organization itself determines whether or not the data breach is serious and whether or not to notify the people concerned. Some data breaches may not be reported to the commissioner or the individuals in question. The individuals would not have the opportunity to take the necessary steps to properly protect themselves.

Instead of implementing a subjective measure, why not implement an objective measure that would put more power in the hands of the individuals whose identity or personal information has been stolen or breached?

Mr. Speaker, the member talked about the bill she brought before the House. However, I think we all have to agree that Canada does not need a heavy-handed approach that would add red tape for businesses and increased cost. We are all about increasing business in our country, driving our economy, and trying to create jobs and seeing Canadians work.

The Privacy Commissioner also agrees with us. He said:

—we believe it would be counterproductive to require organizations to notify individuals of all breaches. Similarly, we do not think it would be practical or efficient to require organizations to notify our Office of all breaches.

The Privacy Commissioner understands that the heavy-handed approach that the member opposite talks about in requiring more red tape for our businesses does not drive our economy. It is not beneficial to Canadians as a whole, and that is why we could not support that approach.

Mr. Speaker, I simply want to respond to the hon. member's answer. My proposal ensured that the Privacy Commissioner was the one who determined whether the data breach was significant enough to report. What the Conservatives are proposing will put the burden on companies because, regardless of how big they are, this law applies to them. There are larger companies that have departments responsible for ensuring that people's privacy is respected and our country's laws are complied with. However, it is more difficult for small companies to determine whether that is the case. Some have no idea what to do, not because they do not want to co-operate, but because they simply do not have the people to do it. Why not help them out a little by giving them access to the Privacy Commissioner's resources and expertise?

I would like to reiterate that the Conservatives' bill provides far less help to small and medium-sized businesses.