Bill C-11 (Historical)

Madam Speaker, I saw from the stakeholders that big business certainly likes the bill, but I want to talk about small businesses, like insurance companies, for example. The minister talked about data portability and open banking. Currently, in Canada the insurance arms of banking companies are not allowed to share that information with their mother company, the bank. This creates a competitive playing field for small and medium-sized insurance companies.

I wonder if he can address the concerns of small and medium-sized insurance companies that their business will be severely disadvantaged by the legislation and tell us what efforts the government will take to help those companies.

Madam Speaker, as I highlighted in my remarks, the legislation is good for small businesses. It would provide them the ability to work with the Office of the Privacy Commissioner to create codes of conduct to enable them to be compliant with the act. The tribunal process is also less expensive and onerous for small businesses, particularly when we compare it with the lengthy processes they may have had to pursue in the past in the courts.

More importantly, I think the legislation gives control to Canadians, particularly in the area of portability, as the member opposite highlighted, by enabling small businesses to be able to take advantage of the fact that Canadians can now move their personal data from one organization to another. That creates more competition and more choice, which will have a positive impact on small businesses.

Madam Speaker, I have a question for the hon. minister.

Quebec is currently giving this careful consideration. Personal information belongs to individuals and is a provincial responsibility under the Constitution. The provinces are responsible for property and civil law. Quebec is in the process of modernizing its own legislation.

Knowing that, how do you see the two pieces of legislation eventually harmonizing?

I would remind the hon. member that he is to address his questions and comments to the Chair and not directly to the minister.

The hon. minister.

Madam Speaker, I thank my colleague for the question. He is right. Privacy is essential for all Canadians.

That is why we introduced this legislation, to make sure it is adequate with respect to the GDPR, but will also respect provincial legislation. This law demonstrates national leadership in an area where it is important to have clear rules to protect Canadians, their privacy and their data, and it will respect provincial jurisdiction.

Madam Speaker, I want to thank my hon. colleague for introducing the bill and for recognizing the work of the Standing Committee on Access to Information, Privacy and Ethics, which brought forward a number of these recommendations. It is essential that we move on this legislation.

I have some concerns when I look at the legislation. One of the key concerns I have is that the government has opted to ignore the need to bring political parties and third-party political operators under some form of privacy regime. I am sorry, but a pinkie swear from a party staffer that there is a privacy code does not cut it, not after what we have seen with the Cambridge Analytica scandal and the big data wars going on with political campaigns in the United States. We need to have political parties under some kind of regime.

Is the government willing to put this under a regime if we bring forward amendments?

Madam Speaker, I would like to thank my hon. colleague for his active role in this area. I know that the ethics committee has done tremendous work in terms of providing recommendations that have been incorporated into the legislation.

With regard to political parties, it is important to note, as the member has indicated, that the legislation is focused on commercial activities. We are looking at not non-commercial activities but commercial activities, to strengthen the privacy in this area and to make sure that Canadians have more control, not less control, and that there is greater transparency, greater accountability and meaningful fines that will make sure organizations comply with the law. That is the object.

Again, the legislation is focused on commercial activities, not non-commercial activities.

Madam Speaker, first of all, I want to congratulate my friend on being featured in this year's LinkedIn Top Voices profile. I offer congratulations on that.

I would like to ask the minister about data mobility and how the bill would assist Canadians and Canadian businesses. Data mobility is an issue that we have heard a great deal about over the years.

Madam Speaker, I would like to thank my hon. colleague for his friendship and support. I have sought his counsel on numerous occasions to get his advice on issues he had heard about from his constituents.

He made it very clear that Canadians should have more control over their data and that Canadians should have greater privacy online. As he reminded me, particularly in this pandemic, more Canadians are learning online, working online and accessing information online.

One area we targeted and honed in on to provide greater control for Canadians was around data portability. This will enable, as the member clearly highlighted, the ability for individuals to transfer their data from one entity to another. This will create an enormous amount of activity online. It will empower Canadians, and it will create opportunities in many areas, including, as I mentioned, in the financial sector, with open banking for example.

Madam Speaker, it is great to talk about data portability and privacy, but it does not matter if Canadians do not have access.

In the connect to innovate program, the government spent a lot of money, but it did not spend a single penny in southwestern Ontario to connect businesses, residences and Canadians with the Internet in order to give them proper service. This area represents 20% of Canada's economic output. In my own area of Norfolk County, over 30% are still underserved. There is no indication of a carve-out in the new program for funding. However, there are parts built in for financing that would only benefit the big players.

If the minister is serious about his commitment to small business, will the new program be modified to support small business ISP providers and to provide service to southwestern Ontario so that everyone could enjoy the new freedoms and protections that the minister is speaking about today?

Madam Speaker, I would like to thank my hon. colleague for her very thoughtful question and for her advocacy on the issue around connectivity. As a minister who served in the previous Harper government, she knows personally very well the importance of broadband connectivity.

If we look at the digital charter, the first principle talks about access. It is an important principle that we put forward in the digital charter, and it highlights the commitment that we recently made with regard to building on the work of the connect to innovate program through the universal broadband fund, as well as looking at low-earth orbit satellite technologies to provide that high-speed Internet connectivity for rural and remote communities.

From our perspective, it is all about more competition, which would provide more choice to Internet service providers, particularly the smaller ones, which would then enable prices to go down and would provide options to many Canadians, including those living in southwestern Ontario.

Madam Speaker, Bill C-11 will not protect personal data under the federal government's own jurisdiction. We saw what happened at the Canada Revenue Agency and how easy it is to steal a person's identity for all sorts of reasons. These are outdated tools when it comes to identity and security.

Why are there no rigorous standards set out for government agencies?

Madam Speaker, I thank my colleague for the question.

I understand that there are currently a lot of problems with data breaches. I hope that we can work together to come up with solutions for all Canadians.

Madam Speaker, today I am rising on Bill C-11, an act to implement a digital charter for government. This is an auspicious moment for Canada, because we are well under way in the digital age, and the need for clarity and concrete action to protect Canadians' privacy is a paramount need. While it is critically important, we also have to remember the need to protect small and medium-sized enterprises and to ensure that Canada can remain globally competitive as a jurisdiction for technology, data and innovation. I am concerned by some of the trends we have seen over the past few years, with Canada falling behind our global competitors, and I am concerned that some parts of this legislation could put us behind.

I am also concerned that we are falling behind when it comes to security. It is great to talk about protecting Canadians' privacy and putting in consent-based rules, but in an age of quantum decryption and computers that can break 120-bit encryption, if our security cannot be protected, then all the consent laws and privacy protections in the world are not going to mean much.

I want to break down this bill into simple terms. They talk about plain language in the bill, and so I am going to try to speak in as plain a language as I can, when dealing with a matter of this technical nature. I want to talk about some of the challenges and, I will grant the government, some of the opportunities that we foresee with this legislation. I want to also thank and recognize the work of the ethics and privacy committee in the previous Parliament, under the able chairmanship of my colleague from Prince George—Peace River—Northern Rockies. Many of the recommendations we have seen in this legislation come from the committee's report, so I think that shows Canadians that committees really do matter in the House, and that they can make a positive impact.

As I said, one of my chief concerns with this bill is its impact on small and medium-sized enterprises. It has been said for a number of years that data is the new oil. For many emerging enterprises, access to data and the ability to use this data will be the determining factor in whether they are successful or not. I do not need to say, but I will, that small and medium-sized enterprises are the lifeblood of our communities, and increasingly we are seeing how vulnerable they are, especially during the pandemic.

We have to consider the context of this legislation within the economy and the economic structures that the Liberal government has created over the past five years. We have seen an unrelenting attack on small and medium-sized enterprises, starting with hikes to Canada pension plan premiums. These hikes will continue even this January, in the midst of a pandemic. When companies are closing their doors and laying off workers, the government is looking at increasing costs even further for employers and employees. It is just not acceptable.

The Liberals in the past accused business people of being tax cheats when they utilized exemptions under the tax code. They decided to take it one step further by hiking taxes and removing these exemptions for many family-owned businesses, including for a lot of businesses and farm families in my riding. With this legislation, they are adding yet another layer of red tape that will force many onerous requirements on small businesses. I recognize that many of these requirements will be very helpful when we are talking about large businesses, and they have the resources to maintain these privacy requirements. I found it interesting that the minister was talking about the right to delete oneself. On many social media platforms that has been the case for a number of years, so it feels like with this legislation the government is trying to catch up to what businesses are already largely doing. However, we see that small enterprises are increasingly reliant on technology and data.

In this legislation, there are a number of new requirements. There is a certification requirement and a requirement for businesses to designate somebody in their business to be the privacy watchdog. Businesses have to maintain databases and be ready to respond to customer requests or investigations. When we talk about very small businesses, which could have only two or three staff or maybe a sole proprietor, to add this new layer of red tape is really going to create a lot of challenges for them.

Ironically, it would actually benefit big businesses because when small businesses have more red tape, they might decide to no longer stay in business. Therefore, we will see even more consolidation among the big players: the Amazons, the Walmarts and companies that are large collectors of personal data. Our thriving, innovative start-up economy will start to be strangled under this legislation.

I hope that when the government is considering amendments at committee, it consults with small businesses. I encourage it to consult with the CFIB to look at the challenges small businesses are going to face, and to try to come up with some sort of threshold to ensure that small businesses are not unduly burdened.

I appreciate that this bill is largely targeted at major corporations and tech giants that use massive amounts of personal data for everyday business. We know that these companies have the capacity to do better in protecting our privacy. I hope that this legislation can spur further commitments to protect Canadians' privacy. However, as I said, it concerns me that these large corporations largely have already implemented a lot of the things that the government is talking about. They have the human resources, legal departments and the endless ability to tap debt markets, bond markets and stock markets to finance these changes. Frankly, small businesses do not.

I asked the minister a question, which he really did not answer, about data portability and the impact on small and medium-sized enterprises. The minister couches it in terms of consumers having the right to ask for their data to be moved from one organization to another. It seems like a really great thing, but I cannot think of too many situations in which a regular Canadian would be the person initiating that conversation. However, I can see where a bank would, for example, when dealing with its insurance arm. Many large Canadian banks also have insurance companies.

There has been a fence put around these companies to ensure they do not become too big and anti-competitive. Information cannot currently be shared between insurance companies and banks owned by the same company, but through this legislation, the insurance company just needs to provide a plain-language document asking clients if they want their information to be shared with its banking arm. With the massive amount of data that insurance companies and banks have on Canadians, we can see how quickly they could possibly use this as a predatory practice to increase, consolidate and suck customers away from small and medium-sized insurance companies.

When I drive through my riding of Sturgeon River—Parkland, I am proud to see about a dozen small and medium-sized insurance businesses for auto, home and life insurance. There are tens of thousands of Canadians employed in this important industry, and they are not all working for the big banks. I really am concerned that this legislation could make our marketplace much less competitive, so I hope the government considers that impact as well.

My next point is about enforcement. I am really skeptical about the government's ability to deliver for Canadians. We see, in spam legislation and other legislation, that a lot of words are not being put into action and there are consequences for actions that are not being followed through on.

Similarly, this legislation packs a lot of firepower. It talks about threatening $10 million in fines, or up to 3% of global revenues. It is the toughest in the G7, as the government has said, but I wonder what power the government really has to compel payment. When we talk about potential serial abusers of our private data, we are talking about massive multinational corporations with billions in revenues.

I wonder if we can anticipate similar challenges as those faced by France when it attempted to collect taxes on digital giants from the United States. These included a challenge at the World Trade Organization and retaliatory tariffs on French products.

I wonder if the Liberals have given any thought to the potential consequences of trying to collect large fines from these companies. Does the government anticipate that our trade competitors are going to let these challenges go unanswered when we try to collect? Have the Liberals considered the consequences that this could have on the Canadian economy, and are they ready to be open about this very real threat? I am not saying that this is not something they should pursue, but we need to know what the potential consequences are before moving too quickly on this.

Canadian innovators are at the forefront of technological advancement, and I think that is something we can all be proud of. However, a concern that has been brought to my attention is the protection of proprietary algorithms by start-up tech companies that rely on data. Some of the provisions in the bill would enforce algorithmic transparency, which sounds great for consumers, but I see that it could be used by business competitors to expose sensitive, confidential and proprietary information.

Has the government considered the consequence of what these actions would do to our start-up companies that want to keep their algorithms proprietary and confidential? A company may be in a situation where it is looking for a buyout at a later date and needs to build up to the point where it can really get the value it believes the company is worth, but if this algorithmic transparency could be used by its competitors to investigate the use of its algorithms, it could possibly be used to steal things that are patent-pending or as leverage in a negotiation for a buyout. I would like to see more stringent protections for our nascent technological sector, to prevent their algorithms from being exposed.

Next, in the bill, the minister sort of alluded to the exemption for socially beneficial purposes. We need to drill down and explore the idea. The minister provided some examples: government, health care agencies and education. I do not think many Canadians could really object to these organizations being exempted, but one point named organizations that exist to promote environmental protection.

We believe in strong environmental protection, but are we possibly talking about environmental charities that may have a political arm or an agenda in an election? Are they going to be exempted to use Canadians' data in any way they see fit? What potential consequences could this have on keeping our elections free from foreign influence or ensuring transparency in political communications? I would really like to get a clearer idea of what the government means when it is talking about socially beneficial purposes, because we are living in an age, as the member for Timmins—James Bay said, when there are data wars. If organizations are misappropriating this data, using it to influence our elections and our democratic process and being provided an exemption, we really need to explore that.

Next I want to talk about the 10 pillars of the digital charter that the government has brought forward. We know that a charter, as any statement of values, is really only as good as the resources and enforcement behind it, so I want to highlight a few of these pillars and address some concerns that I have.

Pillar 1 talks about universal access: “All Canadians will have equal opportunity to participate in the digital world and the necessary tools to do so, including access, connectivity, literacy and skills.” As my colleague for Haldimand—Norfolk was saying, too many Canadians, the fourth coast as some would say, even in relatively urban areas, say that we are far from accessing high-speed and reliable broadband services.

For years, successive governments have pocketed billions and billions of dollars from spectrum auctions. They have been announcing and reannouncing, and in some cases reannouncing a reannouncement, on enhanced rural broadband. The Liberals have promised the universal broadband fund as their solution. They even claimed that they topped it up by another $750 million a few weeks ago, but communities in my riding who recently applied for the universal broadband fund were told that they did not qualify.

I come from a fairly rural riding, and people were basically told that, according to the data, the Internet in their communities is fast enough. That is not acceptable. They should try explaining that to farming families in Sturgeon or Parkland County, or try telling that to people living in Stony Plain, Gibbons and Morinville.

We still have movie rental stores in my riding. I asked somebody how these movie rental stores stay in business, and the fact is, the Internet is so bad, the only way for people to watch movies is to go to their local movie store because they cannot access Netflix and all these other great things.

We are talking about a pandemic right now, and increasingly parents are wanting to supplement their children's education at home. They cannot access their education. A principal of my local high school, Onoway Junior/Senior High School, lives less than one mile away from the high school. The high school has high-speed Internet that is connected by the Alberta SuperNet, but less than a mile away the principal cannot get any Internet services.

The government is saying their Internet is fast enough, and that they do not qualify for the universal broadband fund, but, if we do not qualify, then I do not know who qualifies. This is unacceptable. It is time for the Liberals to put real funds behind real action to deliver broadband access to Canadians in rural and remote areas.

Pillar two of the digital charter is safety and security. It reads, “Canadians will be able to rely on the integrity, authenticity and security of the services they use and should feel safe online”. This is yet another great promise that the Liberals have failed to deliver upon.

I remember over the summer, when scammers used Canadians' personal information on the Canada Revenue Agency website to access CERB payments. These were not foreign actors we were talking about. These were private actors using information that they could get their hands on to breach Canadians' accounts, and this breach was so bad that it even forced the CRA and the Service Canada websites to shut down.

Thousands of Canadians who wanted to were unable to access the CERB, and all the useful services on those websites, because the government has not put security as a priority. Security must be central to digital government and to our digital economy. I appreciate that the government wanted to get those programs out quickly, but we are increasingly seeing the consequences of not building in security from the foundation up.

It was not just the CERB program that was hacked. In February, news broke that the National Research Council systems were hacked, mainly the health research databases. This cyber-attack was caused by ransomware. The hackers used the ransomware to try to extract payment from the government. Every year the National Research Council collects information on more than 25 million health care consumers across the U.S. and Canada. The National Research Council was also hacked in 2017 by state actors.

This continues to be quite a substantial threat. Hospitals and other information technology services are increasingly being targeted by these kinds of crimes. Since 2016, according to a cyber-threat assessment, there have been 172 attacks on individual health care organizations with costs topping $160 million. Those are just the attacks that are known about. It causes one to wonder how many attacks have not even been discovered yet.

It gets worse. Despite the multiple data breaches, the protection on critical infrastructure plan has not been updated in this country since 2009, despite major technological advancements. I alluded earlier to the Manhattan project of data decryption and quantum computing, which we are seeing out of countries like China. They threaten to blow open all of our current encryption technologies. It shows us that the plan is even more critical.