Bill C-11 (Historical)

Madam Speaker, I did have the opportunity to rise on the Conservative motion with respect to Huawei. As I made clear at that time, there are no providers in Canada at the moment that are using Huawei's 5G infrastructure.

I would also take issue, perhaps, with the word “scheme”. What is presented here in the bill before the House is a very serious framework for the protection of personal information and data on behalf of all Canadians. It is certainly something that I am looking forward to debating more fully today and in the future. If there are specific amendments, as I said, I think we are open to them, but at its core, we have a very sound structure that we presenting in Bill C-11.

Madam Speaker, I will be sharing my time with my colleague from Egmont.

It is with great pleasure that I rise in the House today to speak to the consumer privacy protection act and explain why this reform is important for enhancing the protection of our personal information.

When we talk about consumers, we are talking about all of us. All Canadians deserve the peace of mind of knowing that their personal information is protected.

As the Privacy Commissioner of Canada has said, the pandemic has accelerated the digitization of our lives, which inevitably increases risks to our privacy and the security of our data. This has raised serious concerns about our personal freedoms, our societal values, the public good, and the compliance and oversight measures required to manage this public health crisis.

Clearly, this crisis has laid bare the need for a certain use of available data, including personal information. In this context, we have seen many different approaches around the world. Different countries have deployed an array of technologies to support their efforts.

In some cases, their approach has focused on collecting location data for contact tracing or population monitoring or even for tracking an individual's movements. In other cases, telecom service providers have given the government location data from their network. On that, let me make it clear that our approach, Canada's approach, does not use those types of technologies.

This federal government will always defend our privacy and our personal data. Many stakeholders and experts have noted the potential impacts on the right to privacy arising from technologies being used elsewhere around the world. We heard those concerns, and that is why our Canadian approach does not involve these types of technologies.

For example, in the case of the COVID Alert app, our government worked with a variety of partners to support public health efforts to limit the spread of the virus, while also making sure we protected Canadians' privacy. The application was designed with this very objective in mind. As we have said before, the app has no way of knowing one's location, name, address, contacts or other information. In fact, following a review of the app, the Office of the Privacy Commissioner fully supported it.

I hope that this dispels any lingering myths about the app, and as we are very much still in the midst of this pandemic with rising community cases throughout the country, I would like to take this moment to encourage everybody to download the COVID Alert app.

Bill C-11, before us today, would create a strong framework for the protection of personal information in the private sector. The new consumer privacy protection act would impose requirements for obtaining individuals' consent to collect and use their data. Consent must be granted prior to data collection, and consent forms must be written in plain language that absolutely everybody can understand.

While this is extremely important, I know from my own experience, the experience of my friends and speaking to my constituents, and surely this is the case for many Canadians across the country, that not everybody reads the disclosure and consent page before clicking “I agree”. That is why we have proposed in this bill to legislate that organizations can only seek consent for data that are strictly necessary for their purposes. They can collect credit card information if they are selling something; they can collect an address if they will be delivering something.

Critically, this bill also would further empower consumers. It would give us the unfettered right to ask what information has been collected about us, how it has been used, whether it has been shared, and whether it has been sold. We, as consumers, would have the right to access the information that an organization might have on us and request its immediate deletion.

Another groundbreaking provision involves AI and algorithmic transparency. We are all familiar with these algorithms which make predictions and recommendations with the aim of influencing and impacting our decisions. Whether our experience is seeing advertising on Facebook or Google, which, very strangely, resembles some searches we recently did, or recommendations of videos on YouTube, for example, Canadians are constantly being fed information and suggested purchases based on algorithms that we know very little about.

Without going on too much of a tangent, I watched a few weeks ago a documentary called The Social Dilemma. I imagine many of us in this House who are interested in the topic of privacy protection and the Internet are familiar with the documentary. Let me say it scared the you-know-what out of me.

This bill would make it mandatory for companies to provide answers and an explanation, upon request, about how any predictions or recommendations targeted toward us were obtained. Legislating that right, providing that opportunity for consumers, is itself a deterrent for companies seeking to make use of algorithms for nefarious purposes. This is a critical step forward.

This bill deals with a very complex issue for individuals and consumers and for businesses. It recognizes individuals' right to privacy as well as the need of organizations to collect, use or disclose personal information in the course of reasonable commercial activities.

Our privacy bill is flexible enough to allow companies to apply the general requirements to practices specific to their sector. However, I want to make it very clear that good intentions on the part of private-sector organizations are not enough.

We know that for the new protections included in the legislation to really be implemented, we need binding and effective mechanisms to protect the rights of Canadian consumers. That is why this bill includes serious penalties for those who try to get around it. We are talking about monetary penalties of up to $10 million, or 3% of global revenues, for large corporations that break the law. For more serious offences, fines up can go up to $25 million, or 5% of global revenues.

These measures would be among the toughest in the G7. Our government takes the privacy of Canadians very seriously, and the web giants must do the same. We have seen major innovations and digital solutions that not only serve the public interest, but also protect the privacy of our citizens.

The legislation would allow companies to innovate in a responsible manner and enable Canadians to have more control over their personal information. It is true that the digital environment presents many challenges, but we must not let that stop us. There are tremendous opportunities. Back home in Montreal, I am seeing the potential of AI and responsible data usage. I am thinking about Mila, Element AI, Hopper, AlayaCare and all the start-ups and small businesses that are opening every day in Mile End and Mile Ex. We must continue to encourage the development of this sector while ensuring that the public has confidence in the regulatory and legal framework governing these companies.

As legislators, we must give Canadians our assurance that their data is safe and their privacy is respected. This assurance is necessary not just to foster creativity and innovation, which are essential ingredients for building a strong economy, but also to give us all peace of mind.

Madam Speaker, in her speech, my colleague said that she had some suggestions to improve Bill C-11. This is also the case for the Bloc Québécois.

On our side, we are very concerned about the issue of identity theft. There are ways to verify someone's identity. In Europe, mechanisms have been put in place. Here, however, the banks have no such obligations and, if it costs too much, they do nothing. We would like to see stricter regulations for banks and greater transparency.

Does the hon. member agree with what we are calling for?

Madam Speaker, I would like to inform you that I will be sharing my time with the hon. member for Lethbridge.

Today we are discussing Bill C-11, an act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other acts, which received first reading in the House on November 17.

I am aware of the importance of the issue addressed in the bill. It is 2020. Who would have thought that, in 2020, we would have to come to grips with technology in such a hurry because of a pandemic?

Technology was already evolving at a fast pace, but I can say that we have had to increase our knowledge at great speed. If someone had asked me three months ago if I was comfortable with teleconferencing, I would have said no, but today it is an everyday occurrence. It is important to address this issue.

I would like to remind the House that I represent the fantastic riding of Portneuf—Jacques-Cartier in Quebec. In 2019, the personal data of 2.9 million Desjardins members were leaked. They were victims of identity theft. Their data were resold to people who wanted to use them to do business in the financial sector. Although the leak did not involve banking information, it still exposed the affected customers to identity theft.

On June 20, 2019, Desjardins revealed that the personal information of 40% of its members had been illegally shared outside the organization by an employee, who had since been fired, of course. On July 8, Quebec's Commission d'accès à l'information and the Office of the Privacy Commissioner of Canada announced that they were launching investigations. On July 15, Desjardins broadened its identity theft protection and offered protection to more than 4.2 million individual members and 300,000 corporate members. On November 1, it announced that all 4.2 million individual members had been affected by the data leak. About 173 of the 350,000 corporate members were also affected.

I will reveal that I am a Desjardins customer and that I was part of this group. Even before the pandemic, digital transactions were commonplace. The current context is speeding things up.

Today's bill comes from a good place, because we do need to keep up with the times, but will we be able to apply and enforce it? Are we not putting the cart before the horse? That is the problem with this bill.

Examples in my riding make me wonder. The government is trying to bring in legislation that would impose astronomical fines on non-compliant companies. The government is puffing out its chest, bragging that our country will be giving the biggest, juiciest, harshest and most lucrative fines, but will we be able to collect?

What do we want? We want to protect Canadians and provide them with the necessary tools. Would it not make more sense to invest in a service that gives these tools to our businesses, so they can help Canadians and consumers?

I have mixed feelings about this bill. It obviously comes from a good place, but are we taking the best possible measures to ensure solutions for the coming days, weeks and months? We need something concrete.

My constituents often tell me that I must find it hard to be a parliamentarian, because I am pragmatic. We need concrete solutions. The goal is laudable, but are we taking the right measures? I am not sure.

I hear from many businesses and citizens. They are still calling me to tell me they are having problems with Phoenix. They are federal employees who are having problems with their pay because of Phoenix. Phoenix is a problem that was never fixed. It has been around since the Liberal government's first term in 2015. It is now 2020, and nothing has been resolved.

I agree that we need to enact a law to protect personal information, but there may be other priorities. We are seeing it now with the Canada Revenue Agency. I have constituents calling my office to ask if I can help them, because the CRA is claiming it sent them money that they never received, which is a sign that they are victims of fraud and their identity has been stolen.

Should we be enacting a law to punish large companies when we cannot even solve the problem in our own backyard? I am aware of the importance of this bill, but I wonder whether we are taking the right measures.

I mentioned this earlier, but it is worth repeating: I am the member for Portneuf—Jacques-Cartier, which is in the province of Quebec. Quebec has a program to help people who have a baby: The mother or the father is entitled to parental leave.

Here is another example that boggles the mind. One of my constituents meets all of the EI eligibility criteria, but his claim is being reviewed because there seems to be some problem factoring in the parental leave he took in 2019 and the Canada child benefit claim he submitted during the pandemic interfered with processing his claim.

That only happens in Quebec. The Liberal government seems unaware of the existence of provincial programs, and its Canada-wide employment insurance system prevents it from fixing the problem. In this case, is it because it is a Quebecker? Is it because he is a father? I am asking because I want to stress the importance of finding concrete solutions to systems before we consider a bill that will punish big corporations.

I completely agree that those who are at fault should be held responsible, should accept the consequences and should pay if they break the law. I completely agree with my colleagues on that point. However, I wanted to show how bizarre this situation is, a situation that puzzles me.

Clearly, we need to reflect on this and update the legislation, but is the version being introduced today the best one? I think we need to send this bill to committee for further study and consultation with specialists and experts. We did actually notice that there is only one expert regarding the tribunal.

I do not pretend to be such an expert. I am not computer savvy and, as I said six months or a year ago, I was unaware of my skills and adaptability to technology. Many members here in Parliament have managed to learn quickly, at lightning speed.

That is why we need to think about this bill and, as I said in my speech, not put the cart before the horse. We need to do things right to make sure that the bill really meets Canadians' needs. At the end of the day, the goal is the same: to protect society's interests and ensure that Canadians are respected and protected. We are all working toward this goal.

I will now happily answer my colleagues' questions. On that note, let us be vigilant, because fraud is always lurking around the corner.

Madam Speaker, I thank my colleague for his speech.

Bill C-11 seems to apply only to private businesses, not to the federal government. We all saw many examples of this during the pandemic. I imagine that all members were informed of the cases of victims of fraud or identity theft reported to their riding offices.

It therefore seems to me that this bill could also be applied to the federal government. Before imposing these sorts of measures, which I agree are desperately needed, on private businesses, perhaps the government should have a look in its own backyard.

I would like my colleague to tell me whether his government plans to do that.

Madam Speaker, I am pleased to rise today to speak to this Bill on consumer privacy protection.

The bill, which will replace the Personal Information Protection and Electronic Documents Act, makes consumer protection a top priority to ensure that Canadians have confidence in the digital marketplace and trust that their personal data will be managed responsibly by the private sector.

It is so important, in an era of global online commerce, for Canada to be putting in place a privacy standard that offers consumers increased control over their personal information as they participate in the modern digital marketplace. The act also includes several important changes to enable and support innovation in an increasingly digital marketplace.

I am going to speak today about how our government is supporting business and protecting Canadians' privacy as they actively participate in the digital economy. Our government is working to establish an enhanced privacy framework where consumer protection is strengthened and where businesses are supported in their efforts to innovate in a rapidly changing digital landscape.

Bill C-11 marks all sorts of important changes to the privacy framework for Canadians, and it is long overdue. It sets out enhanced measures for Canadians to ensure that their personal information is protected, and it establishes new roles and new mechanisms for industry in a way that promotes innovation in a digital world.

We understand the need to ensure that Canadians’ privacy is protected. We must also ensure that Canadian businesses have access to the support they need to grow and compete in a global marketplace based on digital technologies and data.

These changes are taking place at a time of great upheaval, namely the rapid evolution of digital technologies. They are also taking place at a critical time for businesses, which must adapt and innovate in a digital world.

The current pandemic has made digital solutions essential to everyday life. At a time when physical distancing is so important, consumers want solutions that give them access to the products and services they need. Moreover, companies must continue to do business and develop. Digital solutions have helped many of them stay afloat.

However, we all recognize that new technologies provide businesses with huge amounts of personal information, the kind of data they need to make business decisions and offer clients new services.

We know that innovation and growth are critical, but we have to stand up for Canadians and ensure that this innovation in a digital world happens in a responsible way. Today I am going to outline some of the key elements of Bill C-11 that enable responsible innovation: innovation that is done right in a Canadian way.

One of the goals of our current law, PIPEDA, which Bill C-11 would supersede, has been ensuring that companies are able to handle personal information to meet their own legitimate business ends. The other is to ensure that companies do this in a privacy-protective way. To achieve this dual objective, PIPEDA's framework is principles-based and technology-neutral. The framework ensures that this law continues to apply, even as technology has undergone rapid change.

Bill C-11, the CPPA, retains this approach, continuing the success of a flexible and adaptive privacy law in the Canadian private sector context, but we have to recognize that “the times they are a-changin'.” To better reflect the realities of the digital economy, and the continued emergence of new big-data technologies and artificial intelligence, the CPPA would allow for a number of provisions that support industry going forward.

The bill would create a level playing field for companies of all sizes by reducing administrative burdens, which is critical for the vast number of small and medium-sized enterprises in Canada. It would introduce a new framework for personal information that is de-identified. It would establish new mechanisms, such as codes of practice and certification, with independent oversight by the office of the Privacy Commissioner, and it would address data for research purposes or purposes deemed to be socially beneficial.

I will outline how the bill would do all this.

The bill before us today includes a new exception to the requirement for consent regarding certain business activities. The objective is to allow Canadians to give meaningful consent by limiting it to specific activities that involve real choice. This is essential to prevent the use of blanket consent and lengthy contracts that—let us be honest—no one reads.

This will also reduce the administrative burden on businesses in cases where an individual’s consent may be less relevant. Let's consider the example of a third-party service provider that ships various goods. The customer wants the goods shipped, and the business should be able to meet that need. The bill should not add to the burden of providing that service.

The bill would provide for new regulations to be developed for prescribed business activities and would introduce the concept of legitimate interests in Canada's privacy framework. This is something that industry has asked for, we have consulted about and the government has answered in Bill C-11.

Second, we are better defining and clarifying how companies are to handle de-identified personal information: personal information that has been processed and altered to prevent any identification of a particular individual. The bill would allow organizations to de-identify personal information and use it for new research and development purposes. Businesses must undertake research and development to improve their products and offer customers the new and leading-edge services they are looking for. This provision would give businesses the flexibility they need to use de-identified data for these purposes, which would add value for customers and businesses alike.

The law would also allow organizations to use data for purposes of serving the public good, specifically by allowing companies to disclose de-identified data to public entities. Such disclosures would only be allowed when the personal information could not be traced back to particular individuals and when there was a socially beneficial purpose; that is, a purpose related to health, public infrastructure or even environmental protection. This kind of provision would protect individuals while ensuring we use all the tools at our disposal to address the biggest challenges of our time.

Included in the bill is a clear set of parameters for institutions, such as hospitals, universities and even libraries that would seek to receive personal information for a socially beneficial purpose. These parameters would help clarify the rules of the road in new and important fields.

These provisions would also permit organizations to share more data in a trustworthy fashion. They would allow the private sector to work with different levels of government and public institutions to carry out data-based initiatives in a privacy-protecting fashion. By taking this approach, the bill would accommodate emerging situations where collaboration between public and private sectors could have broad public benefits, while at the same time maintaining the trust and accountability that Canadians demand and deserve.

Third, the bill would provide the framework for codes of practice so businesses, especially those in specific industries or sectors of the economy, could proactively demonstrate compliance with the law. The bill would do this by introducing co-regulatory mechanisms into Canada's privacy landscape that would have businesses and the Privacy Commissioner working together. For example, there could be a code for de-identification.

I recognize my time is running short so I will simply mention that I would open the door to talking about the process the bill would provide for certification and certification bodies. I think this would be a very important provision that businesses across Canada would use regularly and that the Privacy Commissioner would have the opportunity to work on with businesses.

With that, I am thankful for the opportunity to speak to Bill C-11. I look forward to taking the questions of my hon. colleagues.

Madam Speaker, I hope to see this legislation brought forth to, I believe, the ethics committee, where it would be sent from the House and we would see a vigorous debate on the bill.

I am very happy that for the first time since 2001, when PIPEDA was introduced, we are seeing the modernization of our privacy act, if I can use those terms. It is great to see because we know data, technology and the importance of data have grown exponentially throughout the years and even more so in our daily lives. We need to ensure laws are updated and revamped to protect Canadians. That is what we are doing with Bill C-11. I will be happy to see it go to committee, and as a member of that committee I will be involved in that vigorous debate.

Madam Speaker, I hope to see Bill C-11 come to committee in an appropriate fashion. We are having a vigorous debate here in the House on the merits of the bill, and when it comes to committee suggestions can be put forward.

What I am very happy to see in the current form of the bill is that we would have some of the highest fines in the G7 under the CPPA, which would be introduced with this bill and ensure organizations are maintaining and controlling the data of Canadians in an appropriate and safe manner. It is great to see the bill has highlighted the fines and penalties that could be instituted on organizations if they fail to do so.

Madam Speaker, I thank the member for Rivière-des-Mille-Îles for his question.

COVID-19 has brought many things to the forefront, and data protection and identity protection are first and foremost. What Bill C-11 brings forth is the idea of consent and also the idea of data destruction. If someone is moving their information from one provider to another, they would be able to indicate to the first provider that they wished to have their data and personal information destroyed so it would not be leaked or hacked.

There are several protections built into this. Consent is one of them, and I am happy to see this. I am happy to see the update to a number of laws within Bill C-11 for the protection of data and information for all Canadians from coast to coast to coast.

Madam Speaker, I will be sharing my time with my colleague, the hon. member for Pontiac.

I am pleased to rise today to speak about the digital charter implementation act, 2020.

Digital technology is changing our economy and our society. Data is now a resource that companies can use to be more productive, to develop better products and services, which has unleashed a digital revolution around the world and which is even more evident during this time of COVID-19.

At the same time, the rapid growth of data-driven industries and technologies is opening the doors to the potential of new and innovative uses of data to support the public good. Data drives the development of many of the algorithms and protected models that are key to our understanding of societal challenges. Examples include the use of data to support sound public health outcomes; enable smart city technologies, such as dynamic traffic management; and promote greater energy efficiency and sustainability through smart grid technologies.

In Canada, public discussions around socially beneficial uses of data have focused on the emerging concept of the smart city in light of waterfront Toronto development proposals and other smart city initiatives considered by federal, provincial, territorial and municipal governments.

The COVID-19 pandemic has recentred the discussion on the role of private sector data and innovation in supporting public health objectives. We are witnessing the central role that data is playing in managing the pandemic. Not only is data critical for tracking current outbreaks or predicting future outbreaks, it has also been used to inform how our health professionals manage critical supplies and ensure they are deployed where they are most needed.

While data has proven to be of vital importance, stakeholders have identified the need for greater clarity around the legal frameworks governing data sharing between businesses and public sector institutions in the context of smart cities and public health.

At the same time, Canadians' concerns over the protection of privacy and democratic responsibility underscore the importance of defining the conditions necessary to establish a certain level of confidence in any new framework. Data sharing can lead to innovative solutions that benefit society.

However, Canadians need assurance that their privacy will be respected and that their data will not be misused. That is why the act to enact the consumer privacy protection act introduces a clear framework for privacy protection in data sharing for socially beneficial purposes.

Under Bill C-11, organizations will also be obliged to obtain consent before disclosing personal information to other organizations. This is in line with the existing act and with most of the legislation on privacy protection in the private sector.

However, in order to support responsible innovation, the bill makes one exception that will allow private sector organizations to disclose de-identified information to certain types of Canadian public institutions for socially beneficial purposes, without consent. This guarantees that businesses will be given the opportunity to participate in public sector initiatives that use data to contribute to the public good.

In addition, by abiding by this framework, private sector organizations can take part in these data sharing activities with full confidence that they are complying with the bill. At the same time, the bill underscores the importance of oversight by democratically responsible public authorities.

As I mentioned, information that is disclosed in this manner would have to be de-identified, ensuring that individuals' privacy is completely protected. What is more, the act would prohibit using that information later to try to reidentify the individual. This prohibition would be tied to significant fines.

This framework would allow Canadians to participate in initiatives directed at socially beneficial purposes without compromising their privacy. It would also ensure that Canadians benefit from the full power of data to create better solutions to some of the most complex policy challenges of our time.

The scope of socially beneficial purposes would focus on areas of public interest that provide broad public benefits supported by use cases and lessons learned that have been identified through years of engagement between government, business stakeholders and civil society organizations.

For example, ride-sharing and transportation service companies could potentially disclose de-identified aggregate data on the movement of their users to municipal authorities as modelling traffic patterns to help improve traffic flow, plan for better public transit initiatives and to improve road user safety.

The law would set clear parameters on which public institutions could receive information under the new consent exception, such as health care bodies, post-secondary institutions, public libraries and other public institutions or private organizations with the mandate to carry out a socially beneficial purpose. Many of these public institutions already have robust data governance systems in place to ensure the integrity of information and protection of privacy and would be ready to take on new responsibilities that would be in the public interest.

The framework for socially beneficial purposes would also cover situations where different levels of government direct public institutions or certain private sector partners to carry out data initiatives. As highlighted in the reports of our colleagues on the policy implications of connected and automated vehicles, this type of public-private sharing of information would be critical to ensuring the safety and security of technologies that would bring incredible benefits to all Canadians.

The approach proposed in the bill would ensure that the law would be adaptable as new use cases emerge and pave the way for innovative new uses of data that could provide broad public benefit while retaining trust and accountability.

Canadians can also rest assured that the new act will protect their information before and after they communicate with these institutions. All personal information transferred will first be de-identified, which will ensure that privacy is protected in these data sharing activities. The consumer privacy protection act also contains clear rules that will prevent the identification of this information, as well as severe penalties for organizations that break these rules.

The framework for socially beneficial purposes will allow innovative Canadian businesses and public organizations to take part in resolving the greatest social challenges in areas such as health and environmental protection. This could improve research on the pandemic, enhance environmental sustainability and conservation efforts, and make our roads safer for users.

These actions will be based on clear democratic responsibility and the protection of Canadians' privacy, and will maintain the flexibility needed for future innovative uses of data for socially beneficial purposes.

Mr. Speaker, today, I rise to give my input on Bill C-11, the digital charter implementation bill. I am happy to give this input. It is a timely bill for Canadians because this bill is about access to people's information and, more important, how that information is monetized by others. At a time when big corporations around the world are earning billions of dollars very quickly from information, getting in front of this issue right now for Canadians is very important.

What is being sold? Canadian information is being sold. What do Canadians privately own of their own data? This is the question that should be addressed in this bill. The converse of this, of course, is the targeted marketing and what Canadians get from the fact that they are giving away their information so they are getting back more services that might be tailor-made to them. It is one of those areas where the intent of Canadians not to give away their data and the result of that data that they willingly gave away, in many instances can be very contradictory. Let us tell Canadians first, as my colleague said here earlier, that they are the product.

Phones are listening to us. Computers are listening to us. Sometimes, computers are watching us. Sometimes, when my sons at home have Siri on, they say, “Siri, turn on”. Siri comes on and I tell them, “Siri was listening the whole time because it just turned on when you told it to turn on.” A lot of information is being culled. We do not know which of that is resting with us, and which of that is public information to be monetized by somebody else.

When I read this bill, I saw a bureaucratic solution designed by bureaucrats for use by bureaucrats, with what will be minor effect for the Canadian population in general. As much as we would like to make sure that we actually do deal with the issue around Canadians' private information that is provided online, we do need to make sure that it applies consistently across our country. It is a bubble created by a bureaucracy, and that bubble is lacking any consequences for mistakes and those mistakes will happen within the bureaucracies of the Government of Canada. In essence, from the Government of Canada's level, everything in this bill shows a complete lack of accountability for the government about how it might misplace or misuse Canadians' data.

I recall, years ago, the government's approach to what was the no-call list. There was a lot of telemarketing going on at the time and the government came out with a solution. If people registered their phone number it would ensure they did not receive telemarketing. We all jumped on that because on our land lines at the time we were getting a lot of telemarketing. When that registration came up, of course my land line was registered and it said to put in my cellphone number too. I put in my cellphone number, and the next day I started receiving telemarketing on my cellphone where I never had before. What apparently happened is the Canadian government's site had been hacked and all that information was sold to telemarketers. It is a shame because it got no money for it. My information was given away for free and a whole bunch of telemarketers got something from the Government of Canada that was literally stolen from Canadians. Therefore, my data was somebody else's, without my consent, as a result of my contribution to the Government of Canada.

Consumer pricing protection is something that would fall in the same type of realm. How do we make the Government of Canada accountable for what might happen with the data that we willingly give the Government of Canada? Will there be fines? Do we actually tell the Government of Canada that if it does not protect this information the Canadian government is going to fine the Canadian government and therefore the taxpayers are going to have to contribute to the government's fining itself? It is a bit of an around-the-world kind of trip, much like quantitative easing.

The problem is, who has this information about me? I do not know, but the party I am forced to disclose the most information to, that I know about, is the Government of Canada.

Let us discuss how stopping that government body in charge of the information I provide is mishandled. That would be the Canada Revenue Agency more than anybody else. It has my financial information, all kinds of dates and my social insurance number. Frankly, having dealt with it for years, it is a disaster of an organization. It has the wrong information. It processes information badly. It is the worst organization to try and fix bad information. That is the Canadian government.

Let us look at what happened in the last handful of months here with the CERB. Data was pilfered and Canadian payments during a pandemic were misdirected. How much of the $400 billion spent is legitimate and how much is as a result of data hacks that went to the wrong entities? Canadians are paying for these mistakes. Canadians are paying now and Canadians are going to continue paying for generations.

The legislation looks like it is designed for large organizations. Let us start with banks. Banks are another organization that we provide a lot of information to and they have a lot of information about us because they handle our financial information. They know how much we are worth, they know how much we have on deposit and they know how much we owe on our mortgages. They are pretty deep as far as what they understand about us.

There are all kinds of small businesses here, as well, that we need to apply. I want to read from this legislation something that should scare any small business person. This is about privacy management programs as required under this legislation. It states:

Every organization must implement a privacy management program that includes the organization's policies, practices and procedures

It further states:

the organization must take into account the volume and sensitivity of the personal information under its control.

What does that mean and how do we interpret that? Further, an organization:

must ensure, by contract or otherwise, that the service provider provides substantially the same protection

They have to ensure something nebulous is provided by their service provider when forwarding information.

Let us get on the ground here. Someone can walk into a pharmacy and that pharmacy wants the Alberta health care number, which is private government information. The retailers want that information so they can continue to track certain things someone does. They know how much of a person's spending they have and they know how much they can market other products to that person if getting some kind of prescription. Government data is quickly translating over into retail data. That is not exactly something we want to provide.

I will go further here because seniors are the people most affected by this. There are so many seniors who are bearing the brunt of the pandemic. There are issues we go through as we age, including financial institutions, insurance companies and all service provides. Many take advantage of seniors in many respects because things get very complex. We want to make sure our seniors are taken care of in a system that continuously evolves, advances and gets more complex. That is something this legislation should take care of more than anything else.

I do not like being just critical. There are also good things in this legislation and I am going to point them out. The purposes of this legislation are that an organization must determine:

each of the purposes for which the information is to be collected, used or disclosed and record those purposes.

The information for consent is also required. Forms of consent are also defined within. The withdrawal of consent is there, as is the disclosure to cease that actual consent.

Another good thing is there is a period for retention and disposal of data that we provide organizations. An organization must not retain personal information for a period longer than necessary. These are very good advances in the legislation. I thank the drafters of the legislation for that.

I have questions on some of the other parts of this legislation as well. On the transfer of information to service providers, organizations may transfer an individual's information to a service provider without the client's knowledge or consent. They would still be monetizing data that gets collected by one retailer or provider and—