Bill S-4 (Historical)

It is my duty, pursuant to Standing Order 38, to inform the House that the questions to be raised tonight at the time of adjournment are as follows: the hon. member for Charlesbourg—Haute-Saint-Charles, Official Languages; the hon. member for Windsor West, Tourism Industry.

Mr. Speaker, it is my pleasure to speak to Bill S-4, and I would like to do so by addressing three themes. The first will be how Bill S-4 reflects rather badly on our democratic process. The second theme will be that Bill S-4 is already hopelessly out of date. It is behind the technological times. The third theme is that there are worrisome features in Bill S-4 to the extent that it would inadequately protect privacy, even within the limits of what it is trying to do.

On that first theme of democracy, we should recall that a lot of what has subsequently come through the House in a series of different bills started with Bill C-30, which I always called the Internet surveillance bill. It got so panned by experts and civil society that the government tried to take it off of the table in the House by sending it to committee for study before second reading. It then disappeared, because the government knew that too much in there had attracted too much early attention from Canadians.

I mention that, because parts of it have begun to reappear in bits and pieces since Bill C-30 disappeared.

Bill S-4 uses one of the same techniques as Bill C-30 to try to take it away from public scrutiny. It is ironic that the method it would use is one that was recommended by the McGrath committee in 1982 or 1984, which is to make better use of committees by having them look at bills before the principle of the bill has been fixed, by having the government send the bill to committee before second reading. That is between first and second reading. It would allow committees to effectively look at the bill as a strong draft from the government, but for MPs, presumably from all parties, to try to improve and perfect the bill without being hamstrung in the way we are now in our committee study of bills by the principle having been fixed, as it gets fixed when we go to second reading for a bill in principle.

Bill S-4 did get sent to committee and, surprise, surprise, with the way that the government has operated since I have been here and since it got a majority in 2011, there were no amendments. The government rejected every amendment and presented no amendments itself. It was as if it had not heard anything that had convinced it of anything, despite all of the witnesses who had appeared and who, in very measured tones and with a very focused analysis, had indicated that there were ways, even within the limited confines of what the government was trying to do in the bill, that the bill could be improved. However, the government, through its MPs on that committee, decided that the bill was fine as-is.

Look at House of Commons Procedure and Practice, second edition, on page 742. It tells us what this procedure was intended to be when the McGrath report came down in 1982 or 1984. It was intended to be an empowering mechanism for the House in relation to government legislation. It was meant to create more of a partnership between MPs and the government. It says:

This empowers Members to examine the principle of a bill before second reading, and enables them to propose amendments to alter its scope.

In the end, this was a subterfuge. Who here is going to doubt that the reason it was sent to committee between first and second reading was to get it off of the agenda in the House, which can tend to lead to a bill receiving more public attention and producing the kind of civil society push back that we have seen meet the government's bills on and on for the last little while? It was a mechanism to reduce its visibility and to have it reappear just about now, with two weeks to go, when there is no steam, no energy, nothing left for civil society to get its mind around in terms of general resistance.

My colleagues have mentioned a problem with this bill, as with other bills that start in the Senate, which is a structural problem that will hopefully be dealt with after the next election by having the Senate put in its proper place. There is also something here, which is that there has been no acknowledgement by the government that this bill probably does conflict with the Spencer decision of 2014 in the Supreme Court of Canada.

This decision recognized the nature of the privacy interests in Internet users' data, including all the metadata that identifies various features of their existence on the Internet, and indicated that in a police context, warrants are needed in order to get access to that information.

PIPEDA, as amended by Bill S-4, would now allow private sector organizations, using the guise of fraud investigations, contractual breach investigations, et cetera, to request of any other private actor all that same information, and nothing is put in here by way of safeguards. It is as if the Spencer decision never came down.

We have had no opinion tabled anywhere from the Department of Justice, through the Minister of Justice, to say that under section 4.1 of the Department of Justice Act, the minister has assessed that Bill S-4 complies with the charter, even after the Spencer judgment. That is because the government never tables opinions and never takes charter arguments seriously.

The record is clear. Last year alone, something like a dozen judgments came from the courts, and 10 out of the 12 found that the government's legislation breached the charter or other principles of law.

The bottom line is that this bill is not a good story for democracy, but that again, I am sorry to say, is not a new story.

The second theme is that the bill has missed the boat.

This all started in 2007. That was when the PIPEDA review was mandatory under the statute, and very quickly a couple of different bills began to appear in the House. They just never got through the minority Parliament at all. Nothing really changed along the way. The government is still stuck back in whatever its thinking was around 2007.

Let me quote from the Library of Parliament's background paper on Canada's federal privacy laws. It says:

As advances in technology increase the ease with which information about individuals can be gathered, stored and searched, the need to protect the privacy of such information presents a rapidly evolving challenge for legislators.

That challenge has not been met. It is as if the government does not know how much of an information economy we have rapidly, almost exponentially, year by year, evolved into being.

How about these basic facts?

The world's largest taxi company right now has no cars. It is the largest taxi company because it has information. That is Uber.

The world's largest accommodations company, Airbnb, owns no property, but it is the richest and largest company by virtue of how it owns information.

The world's largest retailer has absolutely no inventory. That is Alibaba, in China.

This is the world we live in now, and there is nothing in the PIPEDA amendments, in Bill S-4, to indicate the government is at all aware of what it means to be living in this economy.

We should think about the so-called Internet of Things. According to recent research, by 2020, 26 billion devices will be connected to the Internet. That is roughly an average of something like three or four per person on earth. There is no evidence that this bill even comes close to understanding the privacy issues that arise from the fact that we are increasingly living in a connected world in which our phones will be reporting on our heart rates, our fridges will report on our eating habits and even order our groceries, self-driving cars will be out there on the roads, and thermostats and smart meters will monitor our every movement. There is nothing in the bill in that regard. All I would say is that amendments that are 10 years out of date are not exactly something to write home about.

The third theme is the inadequacies and the problems in the bill.

Let me just list them. They have been mentioned before.

First, the way in which the bill deals with giving consent on the web is inadequate after the Spencer case.

Second, the loophole that allows for private organizations to pass on information without any kind of safeguard system analogous to a warrant system, on the simple basis that they are investigating breaches of agreement or fraud or financial abuse, is a recipe for incursions into privacy.

Third, I would end by saying that the reportability standard whereby, if there is a breach of data, a company or holder of the data must tell the person whose data has been lost on the basis of a real risk of significant harm is a subjective standard that is assessed by the company. There is no real system to ensure that it does not become a mechanism for breaches to be hidden from public view and hidden, therefore, from accountability.

Mr. Speaker, I want to thank my colleague across the way. I always find him to be a very learned member who always brings to the debate a level of intelligence and levelheadedness.

He mentioned the Senate in his speech. He said that after the election, he has a plan to solve the Senate. I would like him to extrapolate what he means by that and explain his rationale or how he is seeking to solve it. I would like to hear a little more about that.

Mr. Speaker, I am sure my colleague would, but I think we will keep the topic on Bill S-4 today.

I did raise it. You are correct.

Mr. Speaker, there are a whole range of measures that we would ask the Senate to consider to put itself in the proper relationship of complementarity to the House of Commons for so long as it exists. I will be releasing those measures at some point, but not at the moment. Meanwhile, we will do everything we can to convince Canadians and the other partners in Confederation that the Senate has seen its final days.

Mr. Speaker, my colleague wonders whether the NDP might be looking at changing its position on the Senate, but that is not why I stood up.

My question is in regard to privacy-related issues. Privacy continues to be a major issue in the minds of Canadians, and justifiably so. With the growth of technology, growth in participation in the Internet, and growth in the concerns related to privacy, whether in relation to government or in relation to private sector companies, we want to make sure that this information is being guarded. We want to make sure that the government can provide leadership in the form of legislation and that the potential for fines will in fact be realized.

The member referred to the government's lack of enthusiasm in dealing with this concern. Does he believe that the government has failed in terms of understanding the need for robust legislation that would protect the interests of consumers and has lost the opportunity to do so, as Canadians will likely want to see change toward the end of the year?

Mr. Speaker, the short answer—and I think I spoke to it in my speech—is yes, the government has generally lost the plot.

Privacy is more rhetorical from that side of the House, at least from the government ranks. I am not saying that is the case for all members of Parliament, but I do not think the Conservatives have any sense at all of where privacy absolutely needs to be taken seriously versus when it is used as a shibboleth for other kinds of agendas, as my colleague from Trinity—Spadina pointed out very well in his speech by noting that when privacy suddenly rears its head on such things as the long form census and the long gun registry, it does not quite rear the same head when it comes to privacy in the Internet context.

Mr. Speaker, I congratulate my colleague on his speech.

I would also like to talk about the process this bill would establish. The government could have taken this opportunity to fix the flaws in the Personal Information Protection and Electronic Documents Act, in order to ensure that Internet service providers and government agencies could no longer voluntarily share information without a warrant. There were at least 1.2 million requests in a single year. We have no details about why or about the circumstances surrounding these requests. The one thing we do know is that there was no warrant.

Could my colleague talk more about this missed opportunity?

Mr. Speaker, I thank my colleague for the question and for all her work, without which I would not be even half as informed about this bill as I believe I am.

The issue is ultimately that the government is not at all interested in having Canadians know the extent of something even so comparatively innocuous as the government asking for voluntary disclosure of information from private companies. The minimum, for example, that certain witnesses asked for is just to have statistics that the Privacy Commissioner and everybody else could be looking at, so that people would have a sense of the scope of the phenomenon. Nothing like that is even in the bill, let alone a regime that would actually regulate the phenomenon.

The bottom line is that the more Canadians know about the scope of government access to private information, the more concerned they become. The government is quite far behind on this issue. I think the Conservatives have a tin ear when it comes to where Canadians are on privacy issues.

Mr. Speaker, I am pleased to rise to speak to Bill S-4, the digital privacy act, which has been referred back to the House by the Standing Committee on Industry, Science and Technology.

Last year, our government launched digital Canada 150, an ambitious plan for Canadians to take full advantage of the opportunities of the digital age. It is a broad-based, ambitious plan to take full advantage of the digital economy as we celebrate our 150th anniversary in 2017. It is the next step to build our nation and connect Canadians to each other.

As the digital economy grows, individual Canadians must have confidence that their personal information is being protected. That is why, under digital Canada 150, one of the five pillars is known as “protecting Canadians”. The digital privacy act would provide important and long-awaited updates to our private sector privacy law, the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA.

PIPEDA provides a legal framework for how personal information must be handled in the context of commercial activities, while also setting guidelines for the collection, use, and disclosure of personal information. These rules are based on a set of principles developed jointly by government, industry groups, and consumer representatives.

The digital privacy act would strengthen marketplace rules set out by PIPEDA in important ways. In addition to protecting and empowering consumers, amendments would clarify rules for businesses and reduce red tape. These guidelines would also ensure that vital information is available to Canadian businesses, so they have the necessary tools to thrive in the global digital economy.

Balancing the individual expectations for privacy and the needs of businesses to access and use personal information in their day-to-day operations is important, and Bill S-4 gets it right. It would ensure individuals that, no matter the transaction, their personal information would continue to be protected under Canadian law.

The need to update rules for online privacy continues to grow. Breaches of personal information held by retail giants like Target and Home Depot, where the credit card information of millions of Canadians was stolen, underscore the need to strengthen PIPEDA with mandatory breach requirements.

The bill before us would do exactly this by establishing new requirements for organizations to inform Canadians when their personal information has been lost or stolen and there is a risk of harm. The privacy commissioner must also be notified. An organization that deliberately covers up a data breach, or intentionally fails to notify individuals and report to the commissioner, could face significant fines as a result.

Let me now take a minute and point out some of the ways in which the bill before us would create an effective and streamlined regime for reporting data breaches. The digital privacy act would establish a clear and straightforward test that businesses must apply to determine whether or not they are required to report a breach. If a business determines that a data breach creates a significant risk of harm to a customer or client, then it must report this information both to the individual affected and to the privacy commissioner. If the organization determines that a data breach does not pose a risk of significant harm—that is, their data security safeguards were compromised but they avoided a situation where their customers are exposed to threats like identity theft, fraud, or humiliation—then that organization must keep a record of the breach.

The requirement to maintain these records, even if the breach is determined not to be serious at the time, would serve two purposes. First and most important, it would require companies to keep track of when their data security safeguards fail, so that they can determine whether or not they have a systemic problem that needs to be corrected. An initial breach may not be serious because the information lost is not particularly sensitive. The next time, however, the company and the individuals affected may not be so lucky. Keeping track of all breaches would help companies identify potential problems before individual privacy is seriously harmed.

Second, these records provide a mechanism for the privacy commissioner to hold organizations accountable for their obligations to report serious data breaches.

At any time, the privacy commissioner might request companies to provide these records, which would allow him to make sure organizations are following the rules. If companies chose to deliberately ignore these rules, the consequences, as set out under the digital privacy act, would be serious.

Bill S-4 would make it an offence to deliberately cover up data breaches or intentionally fail to notify individuals and report to the commissioner. In these cases, organizations could face fines of up to $100,000 for every individual whom they fail to notify. These penalties represent just one way in which the digital privacy act would safeguard the personal information of Canadians.

The Privacy Commissioner of Canada strongly supports the proposed data breach rules in Bill S-4. He told the standing committee that:

...I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill.

Proposals such as breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians....

Similarly, the Canadian Bankers Association voiced its support for these amendments, telling the committee:

The banking industry supports the requirements in the digital privacy act for organizations to notify individuals about a breach of their personal information where there is a risk of significant harm.... We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

I think it is clear that Bill S-4 would deliver a balanced approach to protecting the personal information of Canadians, while still allowing for information to be available in a growing, innovative digital economy.

Mr. Karl Littler, vice-president, public affairs, Retail Council of Canada, summed it up best, when he told the standing committee:

Generally speaking, Bill S-4 strikes the right balance between action to protect digital privacy on digital fraud and financial abuse, while recognizing the strengths of PIPEDA and its forward-thinking technologically neutral approach.

I think we have it right with the digital privacy act. Both business and consumers have been empowered in the digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.

Bill S-4, the digital privacy act, would strengthen the rules protecting the personal information that is essential to the conduct of business in virtually all sectors of the economy. The digital privacy act would go a long way to improving the protection of privacy for Canadians.

I urge hon. colleagues to join me in supporting this bill.

Mr. Speaker, I would like to pose the same question I asked another colleague of the member, and that is in regard to the timing of the legislation itself and the government's unwillingness to recognize the need to allow for amendments of its own legislation, which could ultimately provide greater strength and improve the legislation itself.

No doubt the member recognizes, as I am sure all members of the House would, the concern Canadians as a whole have in regard to privacy-related issues. It is somewhat surprising that the government has been unable to really bring in robust legislation that would, in fact, provide assurances to Canadians that the government really understands the issue.

At the last minute, months away from an election, with only a few weeks to go, now we seem to see the government in a hurry-up mode or attitude, in terms of, well, this is the best we can get.

Does the member recognize that the government has actually fallen short in addressing the very important issues that Canadians have, related to protecting their privacy, especially given the growth of the Internet and other technologies and the amount of information available on the Net today?

Mr. Speaker, clearly, the time to act is now.

These ideas have been around for a long time. We have debated them for quite a period of time. What Canadians are looking for is action. This is not a perfect bill by any means, but we do not let the perfect be the enemy of the good.

Chantal Bernier, former interim privacy commissioner, says, “I welcome proposals” in this bill. The bill contains “very positive developments for the privacy rights of Canadians...”. “I am pleased that the government has” addressed such issues as breach notifications.

The current Privacy Commissioner, Daniel Therrien says:

...I am greatly encouraged by the government's show of commitment to update...[PIPEDA], and I...welcome the amendments proposed in this bill.

I submit that it is time to act, and that is precisely what our government is prepared to do.

Mr. Speaker, I thank my colleague from Nipissing—Timiskaming for his speech on Bill S-4.

I worked on Bill C-51, which thousands of Canadians opposed. They were worried that the bill would invade their privacy and violate their rights and freedoms. In the answer he just gave, my colleague said that this bill was not necessarily perfect but that we need to take action. I have a question for him.

Bill S-4, and also Bill C-13, would allow greater access to personal information without a warrant and without provisions for a proper oversight mechanism. This is reminiscent of the extremely distressing Bill C-51, which we studied not too long ago.

Why is the government working so hard to allow snooping without a warrant by creating bigger holes with Bill C-13 and Bill S-4?