Bill C-11 (Historical)

Madam Speaker, I want to thank my colleague for all his clarifications on Bill C-11.

However, I would like to take him in another direction. Quebec is also currently studying proposed legislation, Bill 64, which would provide increased protection for personal information and is heavily based on European law.

I am wondering if the government considered how these two laws will work together, to avoid the confusion that any overlap would cause for the consumer.

Madam Speaker, crafting legislation is obviously complex, and governments reach out to various jurisdictions in analyzing similar legislation to adapt best practices that occur elsewhere. Certainly, as the bill moves through the parliamentary process and gets analysis and debate at various stages including committee, I am sure all those best practices will be brought forward and included in any amendments that may make the bill stronger, better and less confusing for consumers, as the hon. member pointed out.

Madam Speaker, I heard something from an organization a few years ago. It was talking about providing individuals with the ability to give their consent for the use of their information and allowing for companies to compensate them directly.

Considering this has been out there for quite a while, I wonder why the government did not put it forward in the legislation and what the member would think about that as an amendment.

Madam Speaker, the complexity of the question lies in the definition or interpretation of consent by the individual who is giving it. That is why legislation in most cases is broad and can be broadly applied, as my hon. colleague pointed out. She used a specific reference, but in this case it is about incorporating an individual's or a business's idea of consent into legislation so that it respects the many definitions of consent across the country.

Madam Speaker, could my hon. colleague provide his thoughts as to why it is so important that we bring forward legislation of this nature? I have not had this factually substantiated, but one thing I was told is that the amount of information that has been put on the Internet in the last two years is greater than the amount of information that has been put on the Internet for decades. One can only imagine what it is going to be like two years from now.

Could my colleague provide his thoughts on why it is important that we bring forth this legislation?

Madam Speaker, as my colleague is a long-time parliamentarian, he would understand that in the last five to 10 years, the world economy has expanded and changed so rapidly, especially on the data side and in the technology base, that we are really running to catch up. If we look at businesses in the past, we see change occurred slowly and businesses, especially small businesses, could adapt to it in a meaningful way.

At the heart of this legislation is the idea of providing certainty in an uncertain world to small and medium-sized businesses, which really are the foundation of Canada's economy. The government should be able to provide certainty to small and medium-sized businesses, as it is a key economic driver in the country.

I am excited about this legislation, as it provides for a certain world in a very dramatically changing data period. That is why the bill is important. It will require amendments, though, as it goes down the road, because we will be playing catch-up for some time.

Madam Speaker, I am honoured to be sharing my time with the member for Terrebonne.

I am pleased to rise to speak to the fundamental issue of the protection of privacy.

Since March 2020, Quebec business owners have been hard hit by the negative economic impacts of the COVID-19 crisis, namely the lockdown, the closures, the health measures, the labour shortage and the drop in consumption.

SMEs in Quebec have received assistance in the form of tax credits from the Government of Quebec and the Government of Canada to help mitigate these negative economic impacts. Now more than ever, SMEs are struggling under a burden of debt and many of them may never recover. At this difficult time for Quebec's social and economic life, I am worried about Quebec's SMEs, and particularly the small business owners who do not have the time or money to get bogged down in a data protection program that, in some cases, will have to take into account a number of Quebec and Canada laws.

By amending the Privacy Act, the Government of Canada is creating a number of problems for Quebec's SMEs because of legislation adopted by two governments, the Government of Quebec and the Government of Canada. Depending on whether their economic activities extend beyond Quebec's borders, it is very likely that Quebec's SMEs will not know which law governs their data protection plan.

The new federal law proposed in Bill C-11 will have real teeth, which means that Quebec's SMEs are likely to suffer, unfortunately. I am scared to think how this bill will affect Quebec's SMEs.

The pandemic is forcing many retailers to shift to online sales, the kind of electronic commerce referred to in the bill. In his speech to the House this morning, the Minister of Industry acknowledged that the protection of personal information is essentially a provincial responsibility and a matter of civil law. He said his bill respects provincial jurisdiction, but a closer look at the text reveals that to be not quite the case.

It is true that Bill C-11 applies to all federally regulated businesses. However, businesses that are not federally regulated, which describes the vast majority of companies and virtually all SMEs, are not really excluded from the scope of the bill.

The minister can exclude them if the province has substantially similar legislation, as is the case in Quebec, but he cannot exclude them entirely. In fact, he can exclude them only “in respect of the collection, use or disclosure of personal information that occurs within that province”.

Imagine the mess: a Quebec SME will have to comply with the Quebec law if the information does not leave Quebec, but it will have to comply with the federal law if the information does leave Quebec. Information collected from one customer will be subject to two different laws.

Which law do Visa card payments fall under? Does it depends on which territory the Visa server is located in? This seems unenforceable to me. If a business is covered by the Quebec legislation on data protection, that should apply to all its activities, not just half of them, as it would under the bill as currently worded.

Furthermore, Quebec laws are also adapting to the reality. We must recognize that the federal government's bill represents a step forward, because the current legislation has no teeth. Under Bill C-11, a privacy commissioner could establish the specific practices to be adopted in accordance with the principles set out in the legislation. A privacy commissioner would have order-making powers to force organizations to comply with those principles.

Under Bill C-11, a citizen could file a complaint with a tribunal. The privacy tribunal will also be able to impose significant penalties of up to 3% of a multinational's global revenue for non-compliance. In short, the major difference between the law and the bill we are debating, is that the bill's mechanisms are more favourable to citizens when faced with an organization that misuses digital data.

This bill fails to address the important issue of online identity protection to prevent fraud through identity theft, especially when Canadians engage in financial transactions. Bill C-11 does nothing to ensure that financial institutions in Canada verify someone's identity before authorizing a transaction, which exposes Canadians to fraud. Even the federal government has failed to properly verify a person's identity before authorizing an electronic transaction.

I would like to share an unfortunate incident that happened to one of my constituents. This summer, a young man was a victim of identity theft and wound up having to defend his reputation to the Canada Revenue Agency and another financial institution. It was my own office manager who, while talking to a federal official on the phone, realized that fraud had taken place. My office manager took charge of the case and helped my young constituent navigate the unpleasant process that lasted weeks. There was a police investigation and all kinds of documentation. There were numerous discussions with a financial institution and government officials. He had to go to great lengths just to prove that a fraudster had stolen his identity and to defend his reputation to a financial institution and the Canada Revenue Agency.

It was weeks before this young man was able to access the Canada emergency student benefit he very much needed. That is not exactly the kind of introduction a young adult should have to dealing with banks and governments. This whole situation happened because the government did not take the time to verify the identity of the CERB applicant.

The government needs to set an example and take immediate action to combat identity theft. This is a serious problem. Bill C-11 contains some privacy mechanisms, but there is no mechanism to verify the identity of users or consumers to protect their personal information.

I remind members that private information falls under the umbrella of property and civil rights, which is a provincial jurisdiction, as set out in the Constitution. Quebec is in the process of modernizing its act. Unfortunately, it is difficult to assess right now how the federal act and the Quebec act will interface.

However, the Bloc Québécois foresees some problems, and we do not want these problems to affect small businesses in Quebec, which, I remind members, are struggling as a result of the economic issues associated with the COVID-19 crisis.

SMEs carry a heavy debt load at times. Any additional weight on the shoulders of Quebec entrepreneurs is becoming harder and harder to bear. Considering the potential administrative nightmare that could result from how the federal legislation intersects with the Quebec legislation, I would ask that Quebec SMEs be exempt from Bill C-11.

Simon Marchand, chief fraud prevention officer at Nuance Communications, is a certified fraud examiner, a certified administrator and an expert in biometrics and security. He appeared before the Standing Committee on Industry, Science and Technology on May 20. We were discussing fraud-related topics. He mentioned that in the context of COVID-19, telework was a risk factor. This is especially true when it comes to customer service.

All customer service agents who normally work in call centres now work from home, in an unsupervised environment. These agents have limited resources, but now have the opportunity to access sensitive consumer information, whether it is data on their assets or information that could be used by anyone to impersonate someone else.

A second factor is the socio-economic reality, which will no doubt put pressure on many households. When it comes to internal fraud, we know that pressure and opportunity are the two basic factors that drive an employee to go against their employer’s interests and commit fraud.

Some areas have seen a 600% increase in the number of phishing scams involving COVID-19; attachments, links to websites and other methods are being used to lure victims. Fraudsters will be able to get their hands on vast amounts of consumer information, which they will not use in the next few weeks. Rather, they will wait six to 18 months before opening up accounts, taking out financial products and acquiring products from telecommunications carriers. That is what this bill is all about. It provides a modicum of protection, which is a good thing.

In terms of accountability, Simon Marchand said:

I think, though, the focus should be on accountability and the responsibility companies have in relation to the information they use to deliver services.... it calls into question the bank’s responsibility, which is protecting that information.

The first benefit of accountability will be to give the government a clear picture of the situation. It will know exactly how many victims there are, and it will be able to direct measures accordingly to strengthen security, particularly in banks and telecommunications companies.

This will put a burden on businesses, which will have to file reports, but this burden is not unreasonable, since the data they have is already known. All they will have to do is provide them to lawmakers or to a government-supervised body that can present these data more broadly and anonymously so that members of Parliament can access that information and know exactly what is going on in Canada.

This is an important step, because if there is a leak, companies must tell individuals what information was exposed and the risk of harm from the leak. That is what the bill does, and it is absolutely fundamental, because that is a risk that we run.

In conclusion, the lack of accountability for federally regulated businesses is a problem with the current legislation. There is currently no overall picture of how many people are actually victimized by having their identity used once it has been stolen. I am therefore pleased that the federal government is taking greater responsibility and beginning to act by introducing this legislation.

Madam Speaker, when we talk about the legislation, even some of its limitations, and how it could be complemented by working with other jurisdictions, it is important that we recognize the role provinces can play through provincial legislation, which could complement it or even be a leading force. We previously have seen this with other administrations.

For me, the overriding concern has to be the privacy and protection of Canadians and consumers. That is the most important aspect going forward when we deal with legislation of this nature. Could the member provide his thoughts on how important it is to protect the information of individuals that gets onto the Internet via one way or another?

Madam Speaker, I thank my colleague from Winnipeg North for his excellent question.

I agree with him. The best way to thwart identity theft is to ensure that the person who wants to conduct a transaction is who they say they are. People can be identified based on what they know, what they have and who they are, through personal information. A person's name and address are part of what they know. The IP address of their computer or a cellphone number where an institution can send a text message are part of what they have, and finally, facial recognition, their handwriting or their digital fingerprints are part of who they are. These are ways to fight fraud.

In the European Union, two of these three ways must be used to identify a person. Why does Canada not do the same? These control mechanisms will not cost more than fraud will if nothing is done.

Madam Speaker, we know identity theft is a crime. We saw what happened with LifeLabs; over 15 million people's data was stolen. An employee at Desjardins stole the personal data of four million people and affected 173,000 businesses.

We are not discussing the Criminal Code today, but maybe the member could talk about what changes he would propose in dealing with those issues to ensure there are steep penalties so that does not happen again.

Madam Speaker, I thank my colleague for his question, and I want to take this opportunity to talk about crisis management.

In my opinion, Desjardins' response is the gold standard. It acknowledged the thefts and sent a personal letter to its clients or, specifically, to the clients that had been affected. As a result, they were able to act very quickly.

There have been other situations. Equifax chose to cover up what happened to protect its reputation. The Bank of Montreal and CIBC did the same until the hackers themselves put a message online. There are dozens of similar examples.

Desjardins knows its clients. In all likelihood, it is other financial institutions, and not banks, that fall under federal jurisdiction. Once we identify the problem we can find a solution. The first solution is transparency.

Madam Speaker, I have a question that relates to applicability, which was mentioned by my colleague.

In my previous job as a software development professional, I learned that the European general data protection regulation was applicable to anyone who provided goods and services. Our company, even though we registered it in Canada, does business there as well. Therefore, I imagine many of the businesses in Quebec would also do business in Europe, and the GDPR would be applicable.

Could he comment on that?

Madam Speaker, I agree with my colleague, and I would even add that this should apply to the federal government.

The government does not verify identities online, and any verifications that do exist are cursory ones. I should say that the government is not doing what it needs to do to ensure that an applicant is actually who they claim they are. As we have seen with the CERB, this can really open the system up to risks like identity theft, which have serious consequences for Quebeckers and Canadians.

Madam Speaker, it is a great pleasure to speak to Bill C-11 today.

This is an extremely important subject that concerns the security and protection of all citizens' personal information. As my colleague already clearly stated, over the past 10 years and during the current pandemic, there have been a multitude of phishing scams via telephone, the Internet and online shopping platforms, which are increasingly popular.

I believe that Bill C-11 is timely and will correct major problems that we have been seeing for some time in different areas. For example, there have been cases of bank fraud, notably at Desjardins, and the federal government has also been affected. I know that the bill does not apply to the federal government, but this issue remains a very serious concern.

Take, for example, a situation that has occurred in my riding of Terrebonne. For the past month or so, we have been seeing a whole host of complaints related to the Canada Revenue Agency, from people whose identities were stolen by fraudsters who claimed CERB cheques in their name. This shows that there is a gap at the government level, which is very interesting.

I understand that we need to look at what requirements should be established for banks and e-commerce, but I think that there may be some aspects of the bill that we could rework. We are only at debate at second reading for this bill, which means that the bill could be amended and improved to give it more teeth, make it more robust and ensure that it is more responsive to the various threats that could arise in the future. Since we are essentially talking about technology here, the new law should be able to adapt its mechanisms to the changes in technology that will occur in the coming years.

However, there are a number of troubling issues that the bill does not address. For instance, metadata is not included in the bill. I am not an IT expert, but metadata is something that we see regularly. For example, if we spend a few minutes on the Internet searching for a camp chair, it is not unusual to then see ads for various types of camping equipment.

That is worrisome because metadata can be used to target specific individuals. When a group of individuals is targeted, there is a risk of more targeted threats or cyber-attacks. That is why I think it would be a good idea to improve the bill by addressing the issue of metadata.

The federal government, and the Canada Revenue Agency in particular, has quite a lot of work to do on matters of identity theft. The CRA's mandate is to manage revenues on behalf of the Canadian government.

However, what happens in the case of computer fraud as a result of identity theft? In that case, it becomes more a matter of public safety and national security. In many cases, fraud and identity theft, particularly in the banking sector, are committed from abroad using fairly sophisticated electronic means.

Once again, I am not familiar with the mechanisms used to investigate these predominantly computer-based threats or to protect us from them.

I am also referring to the recent debate we had—and I do think this is related—on 5G networks in Canada, in terms of the technological means that will be deployed over the next few years to protect the IT infrastructure itself from all threats and foreign influences.

In some cases, the threat might involve political or public influence. In other cases, it could literally be individual hackers from around the world who use technology, including 5G networks, to circumvent security mechanisms and break into various systems to steal identities and the personal data of the various citizens that we are meant to protect.

It seems to me that the general intent behind Bill C-11 is a worthwhile one, crucial even, as I said in my opening remarks. However, we also need to tackle the technical side. I get the sense that some issues were not considered from all angles so as to ensure that the bill reinforces the back door as much as it does the front door.

Once again, protecting online identity is the most tenuous aspect, and we are trying to rectify that here. I am concerned about a number of aspects of the authentication mechanisms, because that is really what this is about. Currently, many banks, institutions and businesses use a variety of platforms to secure and protect the identity of online customers and consumers.

As a few minutes on the Internet will show, private online commerce companies use many different authentication platforms and mechanisms. It might be a good idea to consider using the bill to standardize those online transaction authentication mechanisms, but the government seems unwilling to do that in the current version of Bill C-11.

The government wants to have companies and financial institutions take on more of the control, responsibility and obligations of protecting personal information. The government should, however, set out some very specific measures in the bill to ensure that all companies can shoulder this responsibility. Not every company has the financial means to set up robust data protection mechanisms. I therefore think that the government needs to set some statutory requirements.

As my colleague from Abitibi—Témiscamingue pointed out earlier, a lot of small merchants and businesses do not have the financial means to improve or modernize their technology infrastructure. This issue may also need to be addressed in the comprehensive approach we are advocating today.

There is the whole issue of jurisdictions. Quebec's jurisdiction over civil law and consumer protection plays an extremely important role. We know that the laws are confined to the jurisdictions for which they were written. This is not just a Quebec and Canadian problem, but also an international one. By the way, I think it will be necessary for the government to define very clearly these famous control mechanisms and make solid political and governmental choices in connection with the new information technologies that will crop up here at home.

That is essentially where this will play out. We cannot give a foreign government control over telecommunications and computer infrastructure. It is extremely important. We are wading into another field, but to be able to protect our constituents we have to ensure that our infrastructure is not threatened by other countries or by foreign nationals, such as the hackers I mentioned earlier.

Then we have to find some form of standardization to help ensure that clients or consumers are protected during online transactions. Let's not forget the entire issue of metadata, which are a formidable tool for any bad actor wanting to target and attack groups that are more privileged or more vulnerable.

In conclusion, the federal government must ensure that Canadians can be guaranteed, in all circumstances, that a consistent international standard will be rigorously applied, and that it will be possible to efficiently identify any and all fraudsters. Identifying fraudsters has always been a problem, and the Canada Revenue Agency could speak at length about this in committee.