Bill S-4 (Historical)

Mr. Speaker, my Conservative colleague spoke about corporate accountability with regard to privacy protection. However, she knows full well that Bill S-4 allows those same businesses to decide for themselves whether or not they will address the complaints people make regarding the use and sharing of their personal information without their knowledge, without consultation and without a warrant.

Many witnesses told the committee that there is a problem with transparency in this bill and that it creates a conflict of interest because the company at fault is the one that decides whether or not the complaint will be addressed. This bill does not provide greater protection for consumers and Canadians. On the contrary, it opens the door to abuse. Many people and experts told the committee that the bill is seriously flawed.

I am wondering how the member opposite can say that this bill is going to protect children when it is flawed. Even the Privacy Commissioner said that the bill does not have the power to really protect Canadians.

Mr. Speaker, as the member of Parliament for Renfrew—Nipissing—Pembroke, it is my pleasure to rise in my place and express strong support for Bill S-4, the digital privacy act. This legislation would make important updates to the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA.

I take issues of privacy very seriously, just as do the people in my riding, like teachers, parents, and grandparents. The number one concern that is expressed to me by individuals is their right to privacy and their right to be protected from the misuse of private information. When it comes to the Internet, while it has brought many improvements to the lives of Canadians, the concern always is what happens to the information that is collected from the Internet on individuals and how it may be used.

Under the current law, companies must seek permission from an individual to collect personal information and may only use this information for legitimate business purposes that had been identified prior to collection. Businesses are required to protect this information when it is in their possession, and they cannot share it with anyone, except in the case of very narrow, limited circumstances. The digital privacy act would build on these protection policies and would add new requirements by which companies must abide.

For example, the bill would require companies to inform Canadians if their personal information has been lost or stolen and if they have been put at risk as a result. It would also clarify the rules around obtaining individuals' consent to collect their personal information, clarifications that would ensure children and other vulnerable groups would be protected when they go online.

The recent high-profile criminal court case in Ontario of a hand-picked senior Liberal provincial deputy minister being convicted of charges related to the heinous crime of pedophilia using the Internet demonstrates how dangerous a place the Internet is for children and the continual need to try to stay one step ahead of the bad guys. The fact that an individual could occupy such a senior position for years as deputy minister of education and a senior advisor to the Liberal premier of Ontario, and apparently do so undiscovered until uncovered by an international crime investigation, is shocking. Convicted pedophile Ben Levin was photographed happily campaigning with the leader of the third party in this place undetected, apparently, or otherwise. This demonstrates why we must always keep up our guard, particularly when children are involved. The Internet is a dangerous place for children.

My constituents in Renfrew—Nipissing—Pembroke know that, when children are involved, I will always err on the side of caution. As we have discussed many times before, strong rules are meaningless if they are not backed up with strong compliance tools. I would like to focus my comments in this critical area.

Let me begin by explaining how PIPEDA currently works with respect to compliance. The act is enforced by the privacy commissioner, who has the ability to investigate complaints and the power to launch investigations in the event that he feels an organization is in violation of the law. PIPEDA gives the commissioner broad investigative powers, which allow him to enter premises, compel the production of information and gather evidence. It is a criminal offence to obstruct the commissioner in the process of an investigation. However, for the most part, the commissioner acts as an ombudsman, using a range of dispute resolution tools to address any violations of the act he discovers in the course of an investigation. At the conclusion of an investigation, the commissioner issues a report outlining any violations of the act, a list of recommendations, and an assessment on whether corrective action needs to be taken moving forward.

PIPEDA's compliance regime has, for the most part, been successful in resolving issues brought to the commissioner's attention. Most organizations in Canada are good corporate citizens, and when the commissioner identifies that they are in violation of the law, they move quickly to correct their practices.

Unfortunately, as a lawmaker, I know from experience that there will always be those who try to skirt the rules. That is why Bill S-4 would make some important improvements to PIPEDA's compliance framework. These changes would make sure the commissioner has the necessary tools to ensure organizations respect the law and the privacy rights of Canadian citizens.

First, Bill S-4 would increase the amount of time available to take an organization to court. Currently, an application to the Federal Court has to be made within 45 days after the commissioner issues the report of findings. In their testimony to the standing committee, officials from the Office of the Privacy Commissioner explained why this period needs to be increased. They stated:

As we've experienced in practice, 45 days is a very short time period to resolve some of the highly complex technological issues or broader accountability issues that organizations quite rightly need time to rectify.... We...follow up with them several months, if not a year, afterwards to ensure they did follow through on the recommendations they said they would undertake to do.

To address this issue, Bill S-4 would increase the time in which an organization could be taken to court from 45 days to 1 year. As the Privacy Commissioner pointed out to members of the standing committee, organizations are often given up to a year to implement recommendations. This amendment would enable the commissioner to enforce compliance in court if a company fails to take the necessary action.

The second important change brought forward by Bill S-4 would give the privacy commissioner the authority to enter into binding compliance agreements with organizations. A compliance agreement is a regulatory tool that provides an alternative to taking an organization to court if it was found to be in violation of PIPEDA. Compliance agreements are voluntary but binding agreements. They are agreements between an organization and the commissioner. These agreements benefit both sides. From the organization's perspective, it gets certainty and clarity. From the commissioner's perspective, these agreements increase the accountability of the organization to become compliant with the law. Currently, commitments made by an organization to implement the commissioner's recommendation are non-binding. Compliance agreements, however, would make these commitments binding and enforceable by a court.

The inclusion of compliance agreements in the digital privacy act was supported by a broad range of stakeholders during committee hearings on the bill. The Privacy Commissioner himself stated that there are two main amendments that are very necessary and would be helpful for us to implement and apply. The first amendment he was referring to was about mandatory data breach reporting. The second was about compliance agreements. Similarly, Mr. Tamir Israel, from the Canadian Internet Policy and Public Interest Clinic, stated, “We're particularly pleased to see the inclusion of compliance agreements and an extended appeal period...”.

Finally, Bill S-4 would give the commissioner more power to name and shame, or to publicly disclose information when organizations are not co-operating. Under the current act, the commissioner can only publicly reveal information about the way in which an organization handles personal information. However, the commissioner cannot, for example, disclose that an organization is not co-operating with an audit or is otherwise acting in bad faith. For many organizations, the threat of having their lack of action made public would be an effective tool to hold them accountable and encourage them to comply with the law; and the proposed amendment could be used, for example, against foreign-based companies that are otherwise beyond the reach of Canadian courts.

Mr. Speaker, I would like to ask a question.

Bill S-4 has several flaws with respect to the protection of personal information. For one thing, it would lead to a reduction in the number of complaints and reports of breaches because the complaints made would be managed by the companies themselves. It would be up to the companies that receive the complaints to determine if they are serious enough to be addressed.

John Lawford, the executive director and general counsel of the Public Interest Advocacy Centre, says that this will incentivize not reporting data breaches by leaving it up to the organization to determine whether the breach creates a real risk. That is a real conflict of interest.

I am wondering what the member for Winnipeg North thinks about that. Was the committee told that the fact that this bill reportedly protects privacy when it actually does the opposite is a serious concern?

Mr. Speaker, I thank the member for York West for allowing me the opportunity to share a few thoughts on Bill S-4.

I am used to the member talking very passionately on a wide variety of issues, particularly regarding our seniors. She is a very strong advocate for our pension programs and so forth. It is also very nice to see that she takes the same sort of attitude in wanting to hold the government accountable on an issue that is important to seniors and all Canadians, which is the digital privacy laws, especially since the Internet and the use of it has exploded over the last decade or so.

When we get advancements in technology and witness it first hand, to the degree in which we have, one would expect the government to have an interest in wanting to ensure we stay on top of the issues related to those advancements. However, the government has not done that.

In fact, it is interesting that we are today debating Bill S-4, which is an important issue. If we were to consult our constituents, I think we would hear genuine concern with respect to the type of information that is on the Internet and just how easy it is for a breach of that security, ultimately causing a great deal of harm to individuals. In a macro situation, it could have a severe impact on the economy.

However, we have an important issue in which the Prime Minister has made the determination that he wants to give the bill that final push as we start to wind down after four years of inaction on the file. Now the Prime Minister, with four and a half weeks of sitting days left, wants to rush the bill through the process and pass into law.

As has been pointed out, we had a different situation in the process with Bill S-4. Not only did it come through the Senate, but it was also stopped before second reading and sent to committee for review. From what I understand, that is very rarely done. The reason it is done is to accommodate significant potential changes to the legislation. That tells me the government, the minister responsible for bringing this legislation before us today, understood there were issues related to the legislation that needed to be dealt with before it completed second reading. I am convinced it was the reason the government took the initiative to take the bill out of the normal process and bring it to a committee first.

I suspect the Independent members, the Liberals and the New Democrats believed the government would be open to amendments. That was kind of the impression that was given to us. However, something happened between the decision to bring the bill to committee and have it voted on in committee with respect to the amendments. This is where the Prime Minister's Office interjected.

Through his office, we found that the Prime Minister was not interested in amendments, because all that would do would prolong the amount of debate, possibly, by having it go back to the Senate. He was more interested in being able to make the statement that the Conservatives had made some changes to the law, even though the legislation was flawed.

I want to focus some attention on the fact that we have very important consumer-type legislation related to something about which Canadians in all regions of our country are concerned, and that is the issue of privacy and protecting it.

The amount of purchasing and other items taking place economically on the Internet is increasing every year. The government wants to try to score a political point by saying it is trying to address the issue. In reality, nothing could be further from the truth. If it were really important to the government, I would suggest that Conservatives would likely have brought it in before the last month or two of this session and that the Prime Minister's Office would have allowed for amendments at the committee stage. Why would Conservatives oppose amendments that would improve the legislation? Unless maybe the government did not want the opposition to support the legislation. There is a lot of merit to that. We have seen that in other pieces of legislation: bring in an idea, give it a label, tell Canadians they are concerned about something, but then leave serious flaws in the legislation to try to maybe get the opposition party offside. Who knows?

What I do know is that there are many deficiencies within the legislation, as has been pointed out by the Liberal Party critic or others, at committee. There are serious flaws in the legislation and there were, I believe, 40-plus amendments that were being proposed. Not one of those amendments passed. The government cannot say that it was political parties that were doing the posturing on it. Many of the amendments, including amendments brought forward by the Liberal Party, were taken from experts at committee who made presentations, some credible organizations, government agencies of sorts that came before the committee.

The government made the decision that it was not going to accept any amendments. What surprises me is that if the Prime Minister's Office had been more clear with the minister responsible for the legislation, the bill could have gone through the normal process. The normal process is not that much better. Ever since the Conservative/Reform government received a majority it had a different attitude in terms of how democracy works here inside the chamber.

I have heard about many pieces of legislation, not only this one, where opposition parties or individual members of Parliament would bring forward amendments and the government consistently said “no” and defeated amendments. The government makes a mockery of the system by not allowing members from all sides of the House to move amendments that would improve the legislation.

Subscriber data requests are very important. People are concerned about that. We know that there are victims who need to be warned when there are breaches of security. Personal identity theft is very real. It is happening far too often. The amount of fraud out there continues to grow and is becoming a serious problem.

We need to protect the privacy of Canadians, and this bill would not go anywhere near far enough to address the many concerns that were brought up, whether at committee or by individual members.

The issues are important. The government has dropped the ball. I would suggest that if the Conservatives really wanted to make a difference, they would allow amendments to pass. In essence, that would provide assurance to Canadians that the government truly does care and that it is more than Conservative spin that it is interested in, but there is no sign of that, unfortunately.

Mr. Speaker, let me use the telecommunications companies as an example. There were thousands of times that telecommunications companies were giving access to personal information; that is our information and the information of many others.

My privacy and that of other Canadians needs to be protected. It should not be randomly given out because somebody asks for it. On anything to do with fraud, Canadians should be aware that their credit cards have been compromised. Individuals should be notified of that fact so they can monitor it themselves, not just assume that the credit card company will be on alert to protect their interests. Far too often the consumers are not notified of those kinds of things.

Again, on the issue of committee, my colleague has been here for quite a long time. He is knows how parliamentary committees are supposed to work, and have always worked. When the government came into power, it decided it was not interested in committee work anymore. It did what it had to do to fill in time to go through the basic process.

Bill S-4 came in through the Senate. The bill should have come in through the House, and had the proper work done through a member of Parliament or minister. That is a proper way to deal with legislation. However, bringing it in through the Senate is the back door way of getting things done, and the government has used that approach several times to get through what it wants done.

Mr. Speaker, I am pleased to have an opportunity to speak to Bill S-4. I will be sharing my time with the fabulous member for Winnipeg North.

I am pleased that we are discussing this bill, but again, unfortunately, it is the same Conservative divisive policy of “You are either with us or you are against us.” Members from all sides wanted to see some improvements to Bill S-4, but unfortunately the bill came from the Senate, and any changes were going to disrupt the process of trying to get legislation through very quickly, which is typical, of course, of the government's plan. I can only say that I was disappointed and that I have to stand and say that I have recommended that the Liberal Party vote against Bill S-4.

It is legislation that could have given our digital privacy laws the shot in the arm they so desperately need, and Liberals would have welcomed it if we had had the opportunity to make it better. That was certainly the intention from the Liberal Party's perspective.

As Canadians are increasingly turning to online commerce, education, banking, recreation, and communication platforms, our laws must keep pace in order to protect all of us. Sadly, the government has a wilful ignorance and reckless disregard for reason on such matters, and Bill S-4 proves it again very clearly.

Information oversight and management are not areas that the government has excelled in, so forgive me if my confidence is shaken a bit. I simply cannot accept without proof the government's word that it is actually protecting consumers' interests.

Of course, the way the government looks at personal information protection and privacy has already been subject to a Supreme Court ruling, and once again the court gave the government another failing grade.

This should come as no surprise to anybody who is paying attention to politics in Canada right now. We all remember when the government lost a hard drive that held the social insurance numbers, medical records, birthdates, education levels, and occupations of 5,000 Canadians. In addition, we remember when the interim privacy commissioner revealed that telecommunication companies receive an average of 1.2 million requests from federal enforcement bodies for private customer information every year. That is approximately 3,300 requests every single day for Canadians' personal information.

Perhaps I should also mention the headline that appeared in The Hill Times this week. It warned that Canada's access to information regime is slipping into—guess what—irrelevance. The article went on to reveal that the Centre for Law and Democracy ranks our ATI regime 56th out of 89 countries. I repeat, we are 56th out of 89 countries. We are really way up there, are we not?

The article also said that in September 2014, Canadian Journalists for Free Expression noted that ATI “is severely failing to meet its minimum requirements, let alone adequately serve the population’s needs.”

While I understand that access to information laws are different from digital privacy laws, these examples all point to a government that does not understand information management, yet refuses to seriously consult or listen to the experts on the matter who came before committee. The government stubbornly refused to listen to experts such as Professor Michael Geist and many others who appeared, including lawyers and professors, who said it was a good piece of legislation but that it could be better.

The intent, certainly on the Liberal side, was to try to make it better, but as everyone here knows, Bill S-4 was referred to the committee after first reading, as my colleague mentioned.

This is typically done for procedural reasons, and because it more readily allows for substantive amendments, the referral traditionally indicates the government's willingness to compromise. It was really very unusual for the government to do this, but it was very welcome. We thought that maybe the government had seen the light and that together we could improve this important piece of legislation, so we gladly supported it after first reading. We were preparing to move amendments, work together with the government, and make it a good, strong bill. It was on this implied promise that the Liberal caucus was prepared to support Bill S-4.

Committee members heard from several experts, including the privacy commissioner, IBC, the Canadian Bar Association, Professor Michael Geist and so many more. We took their counsel to heart in those four meetings.

After the hearings concluded, over 42 substantive amendments were presented in good faith, most taken directly from expert testimony. Those 42 amendments came from the three opposition parties in the House.

Let me give an example. I introduced an amendment that was specifically proposed by several witnesses and contributed to the committee study, including the Insurance Bureau of Canada. The amendment dealt with the reporting threshold for privacy breaches. My amendment would have required the reporting of any unlawful breach of personal information security so long as the said breach presented a significant threat of harm to an individual. That same amendment also clarified what a company needed to do to remedy the breach, including a requirement to warn victims that their information was lost. That sounds pretty basic. If my credit card was compromised or my personal information was lost, I would want to know that.

However, the government was unmoved. In just one short meeting, government members defeated every one of those 42 amendments without any explanation or defence. Some of them were out of date already by the time other ones had been defeated. There was no explanation or no big defence. It was simply the silent majority on the other side of the House voted them all down, just like they do all the time at all committees.

Despite warnings of overly broad, cumbersome and nebulous provisions within Bill S-4, the Conservatives took less than three minutes each to consider, discount and defeat everything that the experts had warned us about. As a result, Bill S-4 remains flawed. It has never been fully considered and should not be accepted or passed without a true and unbiased evaluation.

To be clear, there are positive elements to Bill S-4. For example, the legislation grants the Privacy Commissioner the ability to enter into enforceable compliance agreements with companies that have likely breached the act. This provides a regulatory remedy for certain actions and is a positive development. Public Safety Canada said that the bill would help to protect the security and privacy of Canadians by limiting the number of police and security officials who could request subscriber data and applying new requirements for recording, reporting and auditing those requests.

These may be good things, but several independent and credible sources outside of government expressed their concerns with Bill S-4. For example, many warned that metadata could be used to track specific individuals on the Internet and when in the wrong hands, that tracking could represent a serious threat to personal privacy. Bill S-4 utilizes a similar approach, and this is an issue of tremendous concern for those of us on this side of the House.

I want to ensure that law enforcement officials have the information they need to keep us all safe, but a blank cheque approach is inappropriate and promises limited success. We could do better if the government would just listen to the experts and then work with the opposition.

In broad strokes, Bill S-4 represents a shift in the way we deal with digital privacy. Privacy laws have traditionally outlined the rules and procedures needed to protect information and personal data, but in this case the legislation sets up circumstances under which that material could be released.

In a world where crimes involving personal data theft, identity fraud and online stalking are on the rise, protecting data is crucial. Data is not just information; it is a commodity. It is power and it is a back door into our private lives. The Liberals are deeply concerned that the government's commitment to safeguarding personal information and privacy of Canadians is less than absolute with Bill S-4.

Whether driven by Conservative ignorance or intent, Canada is clearly on the cusp of a paradigm shift with respect to privacy laws, and the Liberals are worried about the consequences of Conservative insolence.

Mr. Speaker, surely the member would recognize that Bill S-4 was put in a unique situation in that it went to committee before it received second reading, thereby creating what turned out to be a false expectation that the government was open to making changes. In reality, all the amendments brought forward were defeated. It was almost like a normal routine of other pieces of legislation that have just gone through the normal process at second reading.

My question to the member is this: why did he feel it was important to isolate this piece of legislation by bringing it to committee before it completed second reading and then sending it to committee stage? Why change the normal procedure, given that the government had no intention of making amendments?

Mr. Speaker, I thank my colleague for his presentation today on this important legislation. I would like to ask him, with regard to Bill S-4, if he could elaborate on how our government is working to protect and help vulnerable Canadians, especially children.

Mr. Speaker, I am pleased to be here today to speak to Bill S-4, the digital privacy act, which has been referred back to the House by the Standing Committee on Industry, Science and Technology.

As consumers, we are all aware that, in the digital world we live in today, our personal information has become increasingly more accessible. People and organizations exchange huge amounts of information over the course of the day, whether it be through email, Internet browsing, or financial transactions. Digital networks have fast become the most efficient and convenient method of communication for Canadians.

Our government takes the protection of this personal information very seriously. We recognize the importance of having strong privacy protections in place to ensure that organizations are properly safeguarding the personal information of individuals across this country. Bill S-4 would implement changes to the Personal Information Protection and Electronic Documents Act, known as PIPEDA. These modifications would ensure that organizations are taking the appropriate steps to address the handling and protection of information in today's digital era. This bill, entitled the digital privacy act, sets out specific rules that businesses and organizations must follow when personal information they hold is lost, stolen, or accessed, either for malicious purposes or as the result of an accident.

As we have seen in the past year, data breaches continue to present themselves as a major challenge to the privacy and security of information. Breaches can happen in any number of different ways and to any type of organization. Digital information can be stolen through sophisticated cyberattacks or through simple software vulnerabilities that are made public.

Take the Heartbleed incident, for example. According to Symantec, this software glitch that was exposed in 2014 left approximately 0.5 million trusted websites at risk of a serious data breach. Financial information and sensitive customer data can also be left vulnerable in the event of a data breach. Unfortunately, this is a familiar topic for Canadians in today's digital age. Take, for example, last September when Home Depot announced that a data breach by unknown hackers left as many as 56 million debit and credit card customers across North America vulnerable to fraud.

Research shows that the majority of today's data breaches are conducted with malicious intent. The Symantec Internet threat report states that nearly half of all breaches are caused by outside attacks and that these attacks are becoming increasingly sophisticated. Canadians are concerned about this. A recent nationwide survey on Canadian attitudes around data breaches concluded that this issue is creating significant public anxiety. The survey found that 79% of Canadians are worried about being a victim of a data breach. Data breaches are a top-of-mind issue for Canadians. This is not surprising, given the importance of the Internet in the day-to-day lives of Canadians.

Organizations should also be concerned about data breaches, given how expensive these incidents can be to businesses. It is estimated that the cost to combat and recover from data breaches worldwide last year was approximately $364 billion. Business owners need to know that consumer demand for responsiveness to data breaches is increasing. A nationwide survey highlighted that Canadians assume that companies will take immediate action in the event that personal information is lost or mishandled.

That is not all Canadians expect. The same study concluded that over half of all respondents want companies to do the following: provide clear information and instructions on how individuals can protect themselves; and provide them with free credit monitoring for a certain period of time in the event that a breach occurs.

With the digital privacy act, our government is responding to the needs and concerns of Canadians. First, companies would be required to put in place strong security measures to prevent data breaches. Second, companies would be required to respond to a breach if and when it does occur or risk facing a strong penalty. With the changes we have proposed in the digital privacy act, if a company has its computer systems hacked and believes personal information has been stolen, or if that information has been lost inadvertently, the company would need to take a number of steps.

The company would be required to assess the risk resulting from the breach, and if it determines that the incident poses risk of harm, it would need to notify the affected individuals and file a report with the Privacy Commissioner of Canada. On the subject of mandatory breach reporting, the Privacy Commissioner has stated that:

Mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information.

An organization would also have to keep a record of the event, regardless of whether a breach poses an obvious risk of harm. These records would not only allow organizations to demonstrate due diligence in their risk assessment, but they would also require companies to keep track of when their data security safeguards fail. This would help businesses determine whether or not they have a systemic problem that needs to be corrected.

What is more, organizations would be required to provide these records to the privacy commissioner at any time, upon request.

This record-keeping requirement would provide a mechanism for the commissioner to hold organizations accountable for their obligation to report serious data breaches.

Here is what the Privacy Commissioner had to say on record keeping:

I believe that the organization experiencing the breach is in the best position to assess risk and decide whether notification of individuals is warranted.

To provide an appropriate incentive to implement these measures, we believe that there should be serious consequences for intentionally ignoring them or attempting to cover up a data breach. Bill S-4 would make such deliberate acts a serious offence, punishable with fines of up to $100,000 per offence.

These changes are widely supported by stakeholders, as is evidenced by witness testimony during the committee's review of the bill.

The Canadian Internet Policy and Public Interest Clinic said that:

...we're very grateful to see this notification obligation coming into force. It's much delayed and needed.

The Canadian Bankers Association also came out in favour, stating that:

The banking industry supports the requirements in the Digital Privacy Act for organizations to notify individuals about a breach of their personal information where there is a real risk of significant harm.... We also support the Commissioner’s new oversight powers to ensure organizations comply with these new provisions.

Finally, the Canadian Pharmacists Association also expressed its support, saying:

For pharmacists who access a significant amount of sensitive information related to the medication and health of their patients every day, a breach or disclosure of this information has the potential to put the patient at risk.... As a result, CPhA believes that...reporting this breach to the individual concerned and the Privacy Commissioner are reasonable steps to take in order to mitigate any risk that may occur.

It's also reasonable for the organization in question to maintain proper records of these occurrences....

While there was broad-based support for the bill among stakeholders, the committee did hear some concerns about certain elements. One issue on which the committee heard different views is the threshold for reporting data breaches to the commissioner. Some stakeholders felt that the threshold is too high and that more breaches should be reported. Others thought the threshold is too low and that only material breaches should be reported to the commissioner.

The digital privacy act would take a balanced approach, one that avoids over-reporting of harmless incidents and yet allows the commissioner to oversee how organizations are meeting their obligations. The Privacy Commissioner agreed, telling the committee:

I support the risk-based approach that will require organizations to assess the seriousness of each incident and its impact on affected individuals.

Some stakeholders also expressed concern that the obligation to keep records of all data breaches is burdensome. However, the Privacy Commissioner, again, believes that the digital privacy act would get it right, telling the committee:

Requiring organizations to keep a record of breaches and provide a copy to my Office upon request will give my Office an important oversight function with respect to how organizations are complying with the requirement to notify.

Record-keeping can be done in a way that would minimize burden while still allowing businesses to demonstrate that they are conducting the proper risk assessments. The government would need to enact regulations to elaborate on what these records would need to look like and how long companies would need to hold on to them.

As a result, consultations during the regulatory development process would allow for further discussion, with stakeholder input, on this important issue.

Finally, some have questioned the need for fines in this area. The government recognizes that many organizations already notify individuals of data breaches in a responsible manner. However, we know from experience that there will always be those who try to break the rules.

The penalties in the digital privacy act would target those organizations that wilfully and knowingly disregard their obligations under the law or, worse, cover up a breach. These fines would not apply to organizations that make a mistake in good faith.

The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa told the committee that:

We're very grateful to see a penalty regime for instances where the breach notification obligations are knowingly ignored.... The fines currently in PIPEDA are designed as penalties for very overt offences.

Bill S-4 would encourage all organizations to play by the same rules and implement adequate controls and safeguards around the personal information they hold.

Furthermore, I encourage the House to oppose the motion put forward by the Green Party to delete clause 10 of Bill S-4. This would remove the new requirements for organizations to notify individuals who have been put at risk if their personal information is lost or stolen. The amendment ignores the advice of numerous privacy advocates including the Privacy Commissioner of Canada.

On several occasions, the commissioner has recommended that PIPEDA be amended to require mandatory data breach reporting. The digital privacy act would act on this recommendation, and the commissioner has expressed strong support for the approach taken in Bill S-4. The Privacy Commissioner and the majority of witnesses who appeared before the standing committee agreed that Bill S-4 is a significant improvement to PIPEDA and a necessary step in ensuring Canadians' personal information is safeguarded.

I think the Canadian Life and Health Insurance Association said it best in its witness testimony. It said that Bill S-4 takes a balanced approach to the responsibilities placed on business and organizations, but most importantly, it would protect the consumers of those businesses and give individuals the information they need to take corrective action when necessary.

Both business and consumers have been empowered in the digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.

Bill S-4 would strengthen these rules and increase the protection of Canadians' personal information. In summary, the digital privacy act would balance the privacy needs of Canadians and the ability of businesses to access and use personal information in their day-to-day operations. It would do this in a way that avoids over-reporting of harmless incidents while making it clear to businesses what their legal obligations are.

I hope we can count on the opposition's support and quickly pass the digital privacy act into law.

Mr. Speaker, I agree with my colleague.

With Bill S-4, the government missed out on an opportunity to introduce a system that is in line with the Supreme Court decision in R. v. Spencer.

It is too bad, because this really could have been possible with the amendments brought forward by the opposition parties. Every party here brought forward amendments that would have worked. However, the government decided to reject all of them.

Mr. Speaker, I have a question as a follow-up to the question that my Conservative colleague asked the hon. member.

The R. v. Spencer ruling came down after this bill was studied in the Senate. What is more, Bill S-4 is based on models from British Columbia and Alberta. Some aspects from Quebec are included as well.

However, we saw that a report was tabled by the Legislative Assembly of British Columbia, the region my colleague represents, saying that in light of the ruling in Spencer, it would amend its personal information protection legislation, known as PIPA. If we are basing our legislation on a model that is changing, then I think we have a problem.

Why are we incapable of working together to see what repercussions the Supreme Court ruling might have on our laws, when other legislation, on which we are basing our bills, is in the process of changing?

Mr. Speaker, first, I hasten to correct my friend. I have never spoken in this place, or in any serious location, with anything but respect and love for my colleagues.

My second point runs to the testimony provided by Professor Michael Geist that Bill S-4 runs contrary to the spirit of the Spencer decision and that, in fact, by allowing the disclosures to be made with upfront Internet service providers from telecom companies and so on without having the notification to the holder of the information, in his words:

The provision opening the door to massive expansion of warrantless, non-notified, voluntary disclosures should be removed....

Mr. Speaker, I want to start by expressing my sincere thanks to my colleague from Terrebonne—Blainville, who just delivered a very important speech. She worked very hard on her own bill on this topic, and I think her bill should have been passed. In my opinion, her bill was far superior to Bill S-4.

I share the sentiments of the hon. member for Winnipeg North. He, like the member for Terrebonne—Blainville, said that all the opposition parties thought that in light of the work that went into the current bill and all the others, such as Bill C-12, the government might make the effort to take a collaborative approach with the other parties. Unfortunately, that was not the case.

Here we are, looking at Bill S-4, a bill that comes to us after, as we have heard from other members, a convoluted process, a bill that died on the order paper, a superior private member's bill that failed when the Conservatives did not support it. It is an effort to bring up to date the Personal Information Protection and Electronic Documents Act, otherwise known as PIPEDA.

This is, of course, a very significant area of citizen and consumer concern. PIPEDA was passed in 2000, and a lot has changed in the world of digital information, privacy concerns, and information held by Internet providers, banks, and a great number of organizations to which Canadians trust their private information online.

Bill S-4 should have been an attempt, and may in fact have been an attempt that failed, to adequately balance the privacy rights of Canadians and the important facilitation of commerce in Canada. That would certainly be the expectation.

The larger context around which the bill comes to us is one in which we have had some rather spectacular accidental breaches of the privacy of Canadians through the release, through various errors, human errors, of health information, consumer information, and banking information because of breaches in the system.

One would have thought, especially in the specific context of the last year, that in drafting the bill, the government would have been very cognizant of the decision of the Supreme Court of Canada in June 2014 in the Spencer decision. That was a decision written by Mr. Justice Tom Cromwell, one of my former friends and professors from my time at Dalhousie Law School, a brilliant legal mind and someone who has, within the Supreme Court of Canada, written a number of critical and important decisions. The Spencer decision is one of them.

The Supreme Court of Canada, in Spencer, came down very clearly on the side of the privacy rights of Canadians. Mr. Justice Tom Cromwell wrote in his decision:

...the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users. Browsing logs, for example, may provide detailed information....

He went on to note that users would never really know when their information was forming some sort of pattern that resulted in a review, and users, consumers, would not know when their information might be becoming accessed. However, in entering into agreements with ISP providers, the Supreme Court of Canada, through Mr. Justice Cromwell, noted that there is a “reasonable expectation of privacy in subscriber information”.

There is no denying that Bill S-4 would do some things that are fairly universally approved of by those who are leading critics in this area. The Privacy Commissioner for the Government of Canada, and of course, the Privacy Commissioner is an officer of Parliament, saw a number of significant improvements.

The Privacy Commissioner started his review by turning his attention to the purpose of PIPEDA in the beginning, back in the year 2000, noting:

The purpose...is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

Given the fast-changing world of digital communications, with the Internet, the cloud, and all the various ways in which we now store information online, fortunately Parliament saw fit in the year 2000 to include a five-year mandatory review of PIPEDA so that we could keep up with the ways in which technology moves so rapidly.

Generally speaking, some of what is being done here has met with universal support. The risk-based approach that would allow organizations to assess each incident on a case-by-case basis was supported by the Privacy Commissioner, at least. The Privacy Commissioner would have an opportunity to enter into compliance agreements, but while the Privacy Commissioner found this acceptable, numerous other commentators did not. They did not feel it went far enough or actually protect privacy information adequately.

The things that met universal approval I will list briefly. The improvements in Bill S-4 include the additional qualification and clarification of what is meant by the standard of consent, the extension of a deadline to take cases to the Federal Court, and of course, the expansion of the powers of the Privacy Commissioner to publicly disclose information related to findings. These were things the Privacy Commissioner liked.

Leading critics include, and my friend from Terrebonne—Blainville has already pointed to one of the leading critics in this area, Professor Michael Geist, advisers, and a very exceptional group of lawyers who now work a lot on information privacy law at the Public Interest Advocacy Centre, where, in the 1980s, I was also associate general counsel. However, in those days, believe me, we did not have open files on Internet data and privacy, because we were mostly dealing with trying to advocate in areas of technology that now seem very outdated. In any case, the Public Interest Advocacy Centre has stayed on top of the technology.

We had from the Canadian Bar Association, the Public Interest Advocacy Centre, Professor Michael Geist, and of course, members of opposition parties a rich group of substantive and helpful amendments that would have led to universal support for this bill at that moment. Unfortunately, those amendments were all rejected.

I want to look at three aspects in the time I have left this afternoon: compliance agreements, the expansion of voluntary disclosure, and transparency reporting.

Compliance agreements are a source of concern. The way in which they are drafted in Bill S-4 would have been acceptable had they been strengthened and had penalties or had an order-making power been available to the Privacy Commissioner, but they have none of those things. The Canadian Bar Association brief made this point about it:

Our principal concern is that while entering into such an agreement with the Privacy Commissioner stays any court enforcement by the Commissioner, it does not have any effect on any affected individual’s right to go to court against the organization for the same matter under investigation. This omission means that there is a much lower incentive for organizations to enter into such agreements. Also, it is not consistent with the regime in other similar schemes.

Despite recommendations to improve this, no improvements were made.

Second, the expansion of voluntary disclosure is probably for me the most significant failure of Bill S-4 and is quite inexplicable in that it runs directly counter to the Spencer decision I referenced earlier. This needed to have much more rigour to ensure that there was no warrantless access. This is the key issue. The task force should have come down harder for privacy rights.

Last, in transparency reporting, there should have been reforms to require organizations to publicly report on the number of disclosures they make without knowledge or consent and without a judicial warrant.

This information should have been disclosed on a regular basis for transparency, and organizations should have been required to notify affected individuals within a reasonable time of any accidental disclosure.

With that, I regretfully conclude that Bill S-4 does not meet the standard this Parliament should expect of an update to PIPEDA.

Mr. Speaker, I would like to thank my colleague from Terrebonne—Blainville for her work on this issue, which she knows a lot about.

We know that the Conservative government introduced Bill S-4 as a way to protect consumers. It is trying to sell the bill as a bill for consumers. However, consumer advocacy groups, lawyers, professors and even the Privacy Commissioner have indicated that there are problems with the bill, such as the provision on voluntary disclosure.

Can my colleague comment on the lack of balance in this bill?