Bill C-11 (Historical)

Colleagues, have a very merry Christmas.

There is no agreement in regard to virtual meetings, so our next meeting will be when the House sits again.

Take the time to have some rest. Obviously, we're going to have some back-and-forth emails in regard to the upcoming Bill C-11. I welcome that as well.

Be safe and spend some time with your family, at least as far as the local laws permit. We'll see you back in 2021.

Merry Christmas and a Happy New Year.

Thank you so much.

I thank my colleague for stepping forward with this motion. I had been looking at this issue as something that we maybe would have looked at under Bill C-11 in terms of privacy rights.

The shocking news that we've seen—and shocking news internationally that has come out—is that Canada is home to a company that has been accused of hosting child pornography, revenge porn and non-consensual acts that have destroyed lives. It is something our committee needs to take very seriously. I think we need to bring in the owners of Pornhub.

I think we need to find a way to allow some of the survivors of this horrific abuse to speak to us if they're willing. If that's the case—and we don't have to debate that now—perhaps we could provide a safe forum where they could testify if they don't want to testify in public, so that they could provide that testimony to us. We should make that offer so that we know what the real-life impacts are.

Another issue that concerns me, a broader issue that Mr. Erskine-Smith and I dealt with to some degree in the last Parliament, is the safe harbour provisions. The safe harbour provisions allow large tech giants to be legally absolved from some content that is extremely destructive. In the past, we dealt with content that was extremist, racist and violent, content that has led to people being hurt and killed in other jurisdictions, but under the safe harbour provisions, you have to go after the person who posted it, which is not always easy.

If we had no safe harbour provisions for sites that post sexual violence and attacks on children and they were liable, that content would be down immediately, and it wouldn't get up there to begin with.

I think our committee can look at this issue. I don't think it needs to be a big study. I think we need a study that reports to Parliament. We could do this in a couple of meetings. Urgency is important. We need to vote on it today so that we're ready in February to deal with it. I would like to suggest two meetings and then a report. We could have more meetings if needed.

This is the kind of thing that our committee needs to be able to report on to Parliament with recommendations that we can move on very quickly.

As for Mr. Erskine-Smith's other suggestion about January, I certainly am very interested in talking about witnesses for Bill C-11, because I think this is going to be a very important study. I'll make myself available as long as we're not.... Maybe more informally, as a subcommittee, we could just talk through some of this and find a way to get ourselves oriented for February.

Those are my comments. However, I'm definitely ready to vote on this motion now.

Thanks very much.

Before I move the motion, I have spoken to Michael and also briefly with Charlie. I have not had a chance to speak with my Bloc colleague.

In relation to Bill C-11, I'm not going to move any motion on Bill C-11. I just hope that we have a common understanding. As we head into the new year, I hope to be a more permanent member of the ETHI committee when Bill C-11 will ultimately be referred to us.

Just so that we take advantage of January as much as we reasonably can, there needs to be a broad consensus that we'll work off-line to develop a work plan and witness list. We can then hit the ground running in a collaborative way when we get back. I just want to put that out there, and I hope there is broad consensus for that.

Specifically, you all have noticed, and I think we have all read, the horrifying stories in relation to the failure of Pornhub and MindGeek to take down illegal content in a timely way, and that has seriously damaged lives. Women's testimony in media reporting has indicated very clearly that they have not been able to come back to living a normal life because of the damage of those videos and the images that have been shared.

As I provided notice, I move:

That the committee call representatives of Pornhub / Mindgeek, namely Feras Antoon and David Tassillo, to explain the company's failure to prohibit rape videos and other illegal content from its site, and what steps it has taken and plans to take to protect the reputation and privacy of young people and other individuals who have never provided their consent.

Mr. Speaker, we live in a country where the right to privacy is fundamental.

Today's youth are vulnerable, and some are victims of traffickers who post content online without consent. Bill C-11 could be amended to protect personal information.

Is the Liberal government prepared to protect these vulnerable members of our society?

Thanks, Madam Chair.

Anthony, you probably recall that, when you attended our privacy committee before, we had a conversation about data portability. It hadn't been in the competition commissioner's early reports, but I know that you have taken data and privacy issues much more seriously now. I think as a consequence of that, we now see it in Bill C-11. I just want to thank your office for that.

When it comes to the Facebook agreement, which I think is also good news, that consent agreement and a $9-million fine with $500,000 also to reimburse the commissioner for costs.... When we look at the States and the fine of $5 billion, even when you adjust for population here in Canada, it would still be significantly more in terms of a fine in the United States than we saw in Canada.

Can you speak to the capacity of the competition commissioner to levy those fines and why it was one-fifth of what we saw when you adjust for population?

I'm finding this very informative. Thank you for being here today.

I want to come back to the discussion related to the dominant tech players, particularly the giants—we're seeing organizations like Amazon, particularly, coming into the market—and the use of data. I know you said you will be reviewing Bill C-11, but I wonder, with that kind of dominance and that control and use of data, if we should be concerned that there aren't enough teeth in your act or in Bill C-11 to deal with things like customer lists. This is stuff that's proprietary and that could really put at risk smaller Canadian companies, small businesses that are using what they think is a service provider but actually could quite likely be a competitor.

Okay. Thank you.

The federal government, as you know, recently introduced Bill C-11 for the protection against commercial exploitation of personal information and the establishment of a data protection tribunal. Clause 14 of this bill would notably amend the Competition Act to facilitate co-operation between the Competition Bureau and the Privacy Commissioner.

How does this bill affect your activities, if Parliament enacts it in the near future in its current form?

I completely agree with you. It's a significant issue, and actually made far worse with the pandemic. Given that market dominance, it has increased significantly.

Has your department spent much time reviewing the provisions within Bill C-11 on data privacy and some of the data regulations? Are the definitions strong enough? Have you done a thorough review? Can you share with us any opinions you might have, either right now or by following up with something in writing?

Mr. Speaker, that question was really well put, probably the best question today.

This afternoon, we will continue debate at second reading of Bill C-12 on net-zero emissions. This evening, the committee of the whole will study the votes under Department of Health. Tomorrow and Monday, we will be debating Bill C-7 on medical assistance in dying.

We hope to complete third reading of Bill C-7 on Monday to give the Senate enough time to pass the bill before the court-imposed deadline of December 18.

On Monday afternoon, at 4 p.m., the Deputy Prime Minister and Minister of Finance will deliver the fall economic statement in the House of Commons.

Tuesday and Thursday shall be allotted days.

On Wednesday, we will resume debate on Bill C-12, the net-zero legislation.

Lastly, next Friday we will resume debate on Bill C-10, concerning the Broadcasting Act, and Bill C-11, concerning personal information protection.

Madam Speaker, it is a great pleasure to speak to Bill C-11 today.

This is an extremely important subject that concerns the security and protection of all citizens' personal information. As my colleague already clearly stated, over the past 10 years and during the current pandemic, there have been a multitude of phishing scams via telephone, the Internet and online shopping platforms, which are increasingly popular.

I believe that Bill C-11 is timely and will correct major problems that we have been seeing for some time in different areas. For example, there have been cases of bank fraud, notably at Desjardins, and the federal government has also been affected. I know that the bill does not apply to the federal government, but this issue remains a very serious concern.

Take, for example, a situation that has occurred in my riding of Terrebonne. For the past month or so, we have been seeing a whole host of complaints related to the Canada Revenue Agency, from people whose identities were stolen by fraudsters who claimed CERB cheques in their name. This shows that there is a gap at the government level, which is very interesting.

I understand that we need to look at what requirements should be established for banks and e-commerce, but I think that there may be some aspects of the bill that we could rework. We are only at debate at second reading for this bill, which means that the bill could be amended and improved to give it more teeth, make it more robust and ensure that it is more responsive to the various threats that could arise in the future. Since we are essentially talking about technology here, the new law should be able to adapt its mechanisms to the changes in technology that will occur in the coming years.

However, there are a number of troubling issues that the bill does not address. For instance, metadata is not included in the bill. I am not an IT expert, but metadata is something that we see regularly. For example, if we spend a few minutes on the Internet searching for a camp chair, it is not unusual to then see ads for various types of camping equipment.

That is worrisome because metadata can be used to target specific individuals. When a group of individuals is targeted, there is a risk of more targeted threats or cyber-attacks. That is why I think it would be a good idea to improve the bill by addressing the issue of metadata.

The federal government, and the Canada Revenue Agency in particular, has quite a lot of work to do on matters of identity theft. The CRA's mandate is to manage revenues on behalf of the Canadian government.

However, what happens in the case of computer fraud as a result of identity theft? In that case, it becomes more a matter of public safety and national security. In many cases, fraud and identity theft, particularly in the banking sector, are committed from abroad using fairly sophisticated electronic means.

Once again, I am not familiar with the mechanisms used to investigate these predominantly computer-based threats or to protect us from them.

I am also referring to the recent debate we had—and I do think this is related—on 5G networks in Canada, in terms of the technological means that will be deployed over the next few years to protect the IT infrastructure itself from all threats and foreign influences.

In some cases, the threat might involve political or public influence. In other cases, it could literally be individual hackers from around the world who use technology, including 5G networks, to circumvent security mechanisms and break into various systems to steal identities and the personal data of the various citizens that we are meant to protect.

It seems to me that the general intent behind Bill C-11 is a worthwhile one, crucial even, as I said in my opening remarks. However, we also need to tackle the technical side. I get the sense that some issues were not considered from all angles so as to ensure that the bill reinforces the back door as much as it does the front door.

Once again, protecting online identity is the most tenuous aspect, and we are trying to rectify that here. I am concerned about a number of aspects of the authentication mechanisms, because that is really what this is about. Currently, many banks, institutions and businesses use a variety of platforms to secure and protect the identity of online customers and consumers.

As a few minutes on the Internet will show, private online commerce companies use many different authentication platforms and mechanisms. It might be a good idea to consider using the bill to standardize those online transaction authentication mechanisms, but the government seems unwilling to do that in the current version of Bill C-11.

The government wants to have companies and financial institutions take on more of the control, responsibility and obligations of protecting personal information. The government should, however, set out some very specific measures in the bill to ensure that all companies can shoulder this responsibility. Not every company has the financial means to set up robust data protection mechanisms. I therefore think that the government needs to set some statutory requirements.

As my colleague from Abitibi—Témiscamingue pointed out earlier, a lot of small merchants and businesses do not have the financial means to improve or modernize their technology infrastructure. This issue may also need to be addressed in the comprehensive approach we are advocating today.

There is the whole issue of jurisdictions. Quebec's jurisdiction over civil law and consumer protection plays an extremely important role. We know that the laws are confined to the jurisdictions for which they were written. This is not just a Quebec and Canadian problem, but also an international one. By the way, I think it will be necessary for the government to define very clearly these famous control mechanisms and make solid political and governmental choices in connection with the new information technologies that will crop up here at home.

That is essentially where this will play out. We cannot give a foreign government control over telecommunications and computer infrastructure. It is extremely important. We are wading into another field, but to be able to protect our constituents we have to ensure that our infrastructure is not threatened by other countries or by foreign nationals, such as the hackers I mentioned earlier.

Then we have to find some form of standardization to help ensure that clients or consumers are protected during online transactions. Let's not forget the entire issue of metadata, which are a formidable tool for any bad actor wanting to target and attack groups that are more privileged or more vulnerable.

In conclusion, the federal government must ensure that Canadians can be guaranteed, in all circumstances, that a consistent international standard will be rigorously applied, and that it will be possible to efficiently identify any and all fraudsters. Identifying fraudsters has always been a problem, and the Canada Revenue Agency could speak at length about this in committee.

Madam Speaker, I am honoured to be sharing my time with the member for Terrebonne.

I am pleased to rise to speak to the fundamental issue of the protection of privacy.

Since March 2020, Quebec business owners have been hard hit by the negative economic impacts of the COVID-19 crisis, namely the lockdown, the closures, the health measures, the labour shortage and the drop in consumption.

SMEs in Quebec have received assistance in the form of tax credits from the Government of Quebec and the Government of Canada to help mitigate these negative economic impacts. Now more than ever, SMEs are struggling under a burden of debt and many of them may never recover. At this difficult time for Quebec's social and economic life, I am worried about Quebec's SMEs, and particularly the small business owners who do not have the time or money to get bogged down in a data protection program that, in some cases, will have to take into account a number of Quebec and Canada laws.

By amending the Privacy Act, the Government of Canada is creating a number of problems for Quebec's SMEs because of legislation adopted by two governments, the Government of Quebec and the Government of Canada. Depending on whether their economic activities extend beyond Quebec's borders, it is very likely that Quebec's SMEs will not know which law governs their data protection plan.

The new federal law proposed in Bill C-11 will have real teeth, which means that Quebec's SMEs are likely to suffer, unfortunately. I am scared to think how this bill will affect Quebec's SMEs.

The pandemic is forcing many retailers to shift to online sales, the kind of electronic commerce referred to in the bill. In his speech to the House this morning, the Minister of Industry acknowledged that the protection of personal information is essentially a provincial responsibility and a matter of civil law. He said his bill respects provincial jurisdiction, but a closer look at the text reveals that to be not quite the case.

It is true that Bill C-11 applies to all federally regulated businesses. However, businesses that are not federally regulated, which describes the vast majority of companies and virtually all SMEs, are not really excluded from the scope of the bill.

The minister can exclude them if the province has substantially similar legislation, as is the case in Quebec, but he cannot exclude them entirely. In fact, he can exclude them only “in respect of the collection, use or disclosure of personal information that occurs within that province”.

Imagine the mess: a Quebec SME will have to comply with the Quebec law if the information does not leave Quebec, but it will have to comply with the federal law if the information does leave Quebec. Information collected from one customer will be subject to two different laws.

Which law do Visa card payments fall under? Does it depends on which territory the Visa server is located in? This seems unenforceable to me. If a business is covered by the Quebec legislation on data protection, that should apply to all its activities, not just half of them, as it would under the bill as currently worded.

Furthermore, Quebec laws are also adapting to the reality. We must recognize that the federal government's bill represents a step forward, because the current legislation has no teeth. Under Bill C-11, a privacy commissioner could establish the specific practices to be adopted in accordance with the principles set out in the legislation. A privacy commissioner would have order-making powers to force organizations to comply with those principles.

Under Bill C-11, a citizen could file a complaint with a tribunal. The privacy tribunal will also be able to impose significant penalties of up to 3% of a multinational's global revenue for non-compliance. In short, the major difference between the law and the bill we are debating, is that the bill's mechanisms are more favourable to citizens when faced with an organization that misuses digital data.

This bill fails to address the important issue of online identity protection to prevent fraud through identity theft, especially when Canadians engage in financial transactions. Bill C-11 does nothing to ensure that financial institutions in Canada verify someone's identity before authorizing a transaction, which exposes Canadians to fraud. Even the federal government has failed to properly verify a person's identity before authorizing an electronic transaction.

I would like to share an unfortunate incident that happened to one of my constituents. This summer, a young man was a victim of identity theft and wound up having to defend his reputation to the Canada Revenue Agency and another financial institution. It was my own office manager who, while talking to a federal official on the phone, realized that fraud had taken place. My office manager took charge of the case and helped my young constituent navigate the unpleasant process that lasted weeks. There was a police investigation and all kinds of documentation. There were numerous discussions with a financial institution and government officials. He had to go to great lengths just to prove that a fraudster had stolen his identity and to defend his reputation to a financial institution and the Canada Revenue Agency.

It was weeks before this young man was able to access the Canada emergency student benefit he very much needed. That is not exactly the kind of introduction a young adult should have to dealing with banks and governments. This whole situation happened because the government did not take the time to verify the identity of the CERB applicant.

The government needs to set an example and take immediate action to combat identity theft. This is a serious problem. Bill C-11 contains some privacy mechanisms, but there is no mechanism to verify the identity of users or consumers to protect their personal information.

I remind members that private information falls under the umbrella of property and civil rights, which is a provincial jurisdiction, as set out in the Constitution. Quebec is in the process of modernizing its act. Unfortunately, it is difficult to assess right now how the federal act and the Quebec act will interface.

However, the Bloc Québécois foresees some problems, and we do not want these problems to affect small businesses in Quebec, which, I remind members, are struggling as a result of the economic issues associated with the COVID-19 crisis.

SMEs carry a heavy debt load at times. Any additional weight on the shoulders of Quebec entrepreneurs is becoming harder and harder to bear. Considering the potential administrative nightmare that could result from how the federal legislation intersects with the Quebec legislation, I would ask that Quebec SMEs be exempt from Bill C-11.

Simon Marchand, chief fraud prevention officer at Nuance Communications, is a certified fraud examiner, a certified administrator and an expert in biometrics and security. He appeared before the Standing Committee on Industry, Science and Technology on May 20. We were discussing fraud-related topics. He mentioned that in the context of COVID-19, telework was a risk factor. This is especially true when it comes to customer service.

All customer service agents who normally work in call centres now work from home, in an unsupervised environment. These agents have limited resources, but now have the opportunity to access sensitive consumer information, whether it is data on their assets or information that could be used by anyone to impersonate someone else.

A second factor is the socio-economic reality, which will no doubt put pressure on many households. When it comes to internal fraud, we know that pressure and opportunity are the two basic factors that drive an employee to go against their employer’s interests and commit fraud.

Some areas have seen a 600% increase in the number of phishing scams involving COVID-19; attachments, links to websites and other methods are being used to lure victims. Fraudsters will be able to get their hands on vast amounts of consumer information, which they will not use in the next few weeks. Rather, they will wait six to 18 months before opening up accounts, taking out financial products and acquiring products from telecommunications carriers. That is what this bill is all about. It provides a modicum of protection, which is a good thing.

In terms of accountability, Simon Marchand said:

I think, though, the focus should be on accountability and the responsibility companies have in relation to the information they use to deliver services.... it calls into question the bank’s responsibility, which is protecting that information.

The first benefit of accountability will be to give the government a clear picture of the situation. It will know exactly how many victims there are, and it will be able to direct measures accordingly to strengthen security, particularly in banks and telecommunications companies.

This will put a burden on businesses, which will have to file reports, but this burden is not unreasonable, since the data they have is already known. All they will have to do is provide them to lawmakers or to a government-supervised body that can present these data more broadly and anonymously so that members of Parliament can access that information and know exactly what is going on in Canada.

This is an important step, because if there is a leak, companies must tell individuals what information was exposed and the risk of harm from the leak. That is what the bill does, and it is absolutely fundamental, because that is a risk that we run.

In conclusion, the lack of accountability for federally regulated businesses is a problem with the current legislation. There is currently no overall picture of how many people are actually victimized by having their identity used once it has been stolen. I am therefore pleased that the federal government is taking greater responsibility and beginning to act by introducing this legislation.

Madam Speaker, I want to thank my colleague for all his clarifications on Bill C-11.

However, I would like to take him in another direction. Quebec is also currently studying proposed legislation, Bill 64, which would provide increased protection for personal information and is heavily based on European law.

I am wondering if the government considered how these two laws will work together, to avoid the confusion that any overlap would cause for the consumer.