Bill C-11 (Historical)

Mr. Speaker, my colleague is a leader within our caucus and is very well-informed on this file and very knowledgeable about this very complex issue.

As he knows, I have been working on the heritage committee. We have also been looking at Facebook and the web giants and that cozy relationship the Liberals have with the web giants. We have seen that lobbying over the last few years tripled since the Liberals became the government.

In terms of personal privacy, I am wondering if the member could talk a bit about what he would like to see improved in this bill to make sure that cozy relationship does not get any sort of prevalence.

Mr. Speaker, I thank the member for Edmonton Strathcona for her hard work on this, and also for reinforcing the protection and strengthening of the Privacy Commissioner. That office has done wonders for this country. I have seen about four privacy commissioners in my tenure in Parliament, and they have all been strong. I have not always agreed with some of their decisions, but they certainly have been at the forefront of accountability in public policy in pushing for greater protection for Canadians. The U.S. does not have this. This is one of our moments of strength that we as a country have in a structure. The member is absolutely correct. We need to make sure the Privacy Commissioner's office is strengthened and remains independent because it has been an asset, not only for personal information but also for our businesses across this country.

Mr. Speaker, I thank my hon. colleague from Windsor West for his detailed assessment of Bill C-11. It is the first opportunity for me to speak to the bill. I certainly plan to vote for it at second reading to get to committee.

An amendment I hope to pursue at committee is an issue that the hon. member discussed. That is getting the PIPEDA framework in Canada to apply to political parties. Here in British Columbia at the provincial level, political parties have to meet privacy requirements. I commend the member for raising it early in debate, and ask if the New Democratic Party will also support amendments in committee?

Yes, Mr. Speaker, New Democrats support amendments and we will be proposing several. There is no doubt about it.

I would like to acknowledge that British Columbia's privacy protection for decades has been recognized across North America and different parts of the world. There is no doubt that British Columbia will provide good opportunity for some lessons to strengthen our own Privacy Commissioner as well. That is key.

New Democrats support these changes. We have amendments prepared already, and we will be adding more amendments. We have to get this right. There is only going to be one chance at this in the near future as we are building out and doing things more online than before. We have to enshrine the philosophy that our human rights are connected here. If we do not enshrine that human rights are connected with regard to this, that one's digital rights are like one's physical rights, then we will be lost; and, we cannot do that. We have to win.

Mr. Speaker, I want to ask the member for further comments in regard to the tribunal because that is a critical component here. The member has expressed great concern in terms of the timeliness of decisions being made by the tribunal. I wonder if he could just provide some further thoughts on how that issue could be best addressed. As opposed to focusing his attention on the appointments, are there mechanisms that he could see being put into place that would ensure a more timely response once issues have been raised?

Yes, Mr. Speaker, the tribunal will be subject to a judicial review, and it could be challenged. The challenge that we are going to be faced with is that decisions could be pushed off down the line. For example, it could take a long time for CRTC decisions to come back and it is one of the most frustrating things. I give credit to our incumbents where they need to be given credit, as they have actually had to deal with a broken system, with CRTC not having the resources and the capabilities to get back in a timely manner. Therefore, the tribunal is going to be critical for that.

Having judicial experience added to it that is stronger than what is currently there and also making sure that some of the powers it has cannot overturn the Privacy Commissioner are some of the things I would like to see advanced in this bill.

Mr. Speaker, I will be splitting my time with the member for Willowdale.

We increasingly live our lives online and our laws need to reflect that reality. Privacy is a human right and it is inextricably connected to our personal autonomy.

The Council of Europe's Convention 108 states, “The purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy.” The GDPR states, “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”

The incredible scale of data collection can be a powerful force, both for good and bad, so we need strong privacy and digital rights and a strong regulator to enforce them.

There is much in our government's Bill C-11, which is a serious reform of PIPEDA and certainly long overdue. I remember in June 2018, I introduced legislation simply to give the Privacy Commissioner new powers, which our privacy committee had twice unanimously recommended. We have come a long way since then with this substantive bill. OpenMedia said, “Bill C-11 is a big win for privacy in Canada.”

While I have heard some reflections from experts and certainly from some parliamentary colleagues already about how the bill can potentially be improved, or some open questions about what might need to be fixed, it is certainly deserving of our support at second reading. I look forward to working with colleagues across party lines to improve the legislation at committee where we can.

At this point, to work at committee across party lines something of a detour is required. I want to specifically commend my Conservative Party colleagues from Prince George and Thornhill, my NDP colleague from Timmins—James Bay and my Liberal colleague from Kitchener Centre. We worked very long and hard on privacy issues in the last Parliament. We helped found the International Grand Committee, comprised of over 10 countries, to discuss these issues. We hosted the second meeting of the IGC in Ottawa. We tabled the report “Towards Privacy by Design” in February of 2018.

When we as parliamentarians talk about committee work and often the overlooked nature of the committee work, we do not always see that committee work turn into legislation. In this instance we have.

We recommended stronger consent rules and we see stronger rules in Bill C-11. We recommended algorithmic transparency and we see in Bill C-11 a commitment on transparency where systems are used to make predictions, recommendations or decisions about consumers. We recommended data portability and interoperability. We see those commitments in Bill C-11.

We see stronger powers for the Privacy Commissioner. I mentioned that need for a strong regulator, including order-making, auditing and the ability to levy fines. We see order-making powers. We see the ability to audit. We see a new tribunal, and while I understand some of the caution or questions members are raising in respect of this design, it is consistent with the competition commissioner and tribunal operations and worth looking at more seriously to see if it can be approved. However, through the tribunal, we see the ability to levy significant fines, in the magnitude of $10 million to a maximum of $25 million for more serious fines.

In terms of the course of that committee work, I want to reflect on a couple of stories about why this kind of legislation is so important and critical.

I think it was in the fall of 2017, when we were in the midst of the study on PIPEDA reform, that the member for Thornhill, the former member for Skeena—Bulkley Valley, I believe I am getting that right, and I went down to Washington and met with other elected representatives there. We witnessed some of the hearings in relation to the Equifax breach, but we also met with Facebook officials. At that time, when a question was put by I think the member for Thornhill as to what Facebook's views were on the potential new regulations, they said absolutely no new regulations were required in Canada due to the strong framework through PIPEDA and, if there were new rules, that might affect Facebook's willingness and interest in investing in Canada. Certainly, we have come a long way since those kinds of conversations and push-back by big tech companies against stronger privacy rules.

We saw that Mark Zuckerberg unfortunately did not attend before the IGC, though he said he would like to work with parliamentarians around the world, but we can certainly say that the days of self-regulation are over and asking for regulation. Here is that kind of regulation in Canada.

On consent, I have to tell one other story that happened at committee. Again, we had Facebook officials there. We were in the midst of going down the rabbit hole of the Cambridge Analytica scandal and the Canadian context of that third-party app, which had shared so much information. I think it was under 300 Canadians who had used the app, but thousands of Canadians had their information shared. I put to Facebook at the time, “How is it that on the basis of meaningful consent thousands of Canadians could have agreed that their friends share their information through this third-party app and then share it with Cambridge Analytica?” With a straight face somehow, a Facebook representative said to me that it was in their terms and conditions.

That speaks to the problematic nature of consent in the existing law and the lack of meaningful consent. Thankfully, our Privacy Commissioner, despite his current lack of meaningful powers, pursued that line of inquiry and found that Facebook violated our current laws and took the matter to court. We know that with stronger consent rules, there would have been no ability for a Facebook representative to say with a straight face that there was meaningful consent.

Plain language is important. I would go further, though, and say that as we think about consent, particularly in a consumer context, I think we ought to be more wary of privacy by default. We have to be more concerned about privacy by default. Where there is a reasonable expectation of the consumer that information is going to be shared and used in a particular way, then explicit consent, obviously, ought not need to be required, but where there are secondary uses, where there are uses beyond a reasonable expectation of that consumer then, certainly, we need explicit opt-in consent. It needs to be very clear to consumers how their information is to be used, if at all.

I want to emphasize the consumer context because it is a curiosity of privacy legislation and a curiosity of consumer protection legislation that when I purchase my phone I do not have to read the terms and conditions. There is no expectation by government that I read the terms and conditions, yet I am protected. There are implied warranties pursuant to consumer protection legislation. I do not need to read those terms and conditions in order for my rights to be protected as a consumer, yet there is an expectation when I download any app on my phone that I read the terms and conditions. That cannot be a tenable state of affairs if we want to protect consumers. We cannot expect consumers to read every term and condition, and every consumer contract in the course of downloading applications, and in the course of living their lives, as I said, increasingly online. Our laws need to reflect that reality.

There are obviously some straightforward fixes for this legislation. The membership of the tribunal should obviously have greater privacy expertise. I think that is a no-brainer. We do have to think more deeply through some of these consent rules and how we can strengthen them potentially further. I would like to see us go beyond algorithmic explainability to some kind of algorithmic accountability.

I know that others have mentioned political parties being left out. I do not know that political parties need to be subject to PIPEDA specifically, but they ought to be subject to privacy legislation. If there is no further effort under way by the government, then I think PIPEDA may well be the place to do that.

Lastly, I think we have to focus on children, in particular, when we look at consent rules and protecting kids on the Internet. Previously, I have written and spoken publicly about my support for our right to be forgotten, but I do think we have to be more focused on our rules and protection for kids as they grow up with the Internet and live their entire lives online.

I will close by simply saying that this is a big bill. This is second reading and, certainly, all of us ought to support this in principle. I look forward to working with experts and colleagues to strengthen the bill at committee and get into the details.

Mr. Speaker, one concern that has been highlighted by a number of other colleagues in this place is the fact that the bill may have the unintended consequence of creating an unlevel playing field for small and medium-sized enterprises, versus the big players. The big players have teams of lawyers and departments to deal with this sort of thing, as opposed to the small and medium-sized enterprises that are going to have to grapple with the consequences of this sort of legislation.

Would the member be able to provide some context about any safeguards that may exist or any suggestions that he would have to ensure that there is in fact a level playing field in that regard?

Mr. Speaker, I would say a few things. First, the concept of proportionality is really important in this regard. Second, it is a live concern that should be addressed by the committee in some respect, but I would also note and would present some caution in response that there are some small companies that collect mountains of personal information. It is not necessarily the size of the company but the activities of the company that we ought to be most concerned about.

Mr. Speaker, I want to thank my hon. colleague for an excellent speech. I felt I should have written it with him at some points, because we spent so much time together studying this and pushing the government for action. There are some key elements in this legislation that certainly come from our work together on the ethics committee.

I am interested in the issue of algorithmic accountability. I think that is something the ethics committee was way out front on. When I look at the other legislation, about having Facebook and Google under the CRTC, I feel it was the best idea for the 1990s. When we are dealing with algorithmic powers that are pushing extremist content, that are pushing Holocaust denial, and when we have seen how that is the real driver on the big social media platforms, and the inability of parliamentarians to actually look inside that black box, I would like to ask my hon. colleague how he would suggest we actually get some stronger accountability mechanisms on the algorithms that are pushing the content and driving people to certain sites and certain conversations.

Mr. Speaker, I am looking forward to getting back to the ethics committee to work with the member for Timmins—James Bay on these issues.

When we look at the use of algorithms and the use of algorithms combined with just the scale of data collection that we see today, we can narrowly focus in on consumer privacy on the one hand, but on the other hand there are bigger conversations about how that information is used to target messages to us and the implications for our democracy. There is a reason, when we hosted that meeting in Ottawa for the IGC, that it was on big data, privacy and democracy.

In terms of algorithmic accountability specifically, I would say I am not certain yet what the perfect solution looks like, but I have always been interested in the work of the Treasury Board in respect of algorithmic impact assessments. It is clear enough, and I am glad to see in Bill C-11 that there is a commitment to algorithmic transparency.

Going further and having some body, potentially the Privacy Commissioner, able to look under the hood and audit algorithms and their potential positive and negative impacts is important. We need to figure out a way to do just that.

Mr. Speaker, I want to acknowledge the phenomenal amount of work that the standing committee did in order to help facilitate the recommendations.

Could the member provide some of his thoughts in regard to the pre-presentation work involved in the legislation? Does he have any closing thoughts on that?

Mr. Speaker, I would just say very quickly that this is one of the few examples I have seen in this Parliament, at this scale at least, where parliamentarians from all parties worked constructively and collegially. No one would have been able to tell which member of which party was asking questions of Facebook officials, Google officials and various representatives and other experts.

When we made those recommendations in February 2018, I do not think people were particularly seized with this issue. Then we went down the rabbit hole of Cambridge Analytica and really continued the examination of these issues and this work. Out of that work, I can see our committee work reflected in the legislation. I think members of all parties ought to be proud of that. We ought to now take that and work even more to improve the legislation going forward.

Mr. Speaker, I rise today to join my colleagues in speaking to the digital charter implementation act, 2020.

In today's ever-changing digital environment, Canadians have demanded better protection of their personal information. They have also demanded that organizations be held accountable for misusing their information. Stakeholders have told us that they want flexibility to innovate responsibly and want consistency with privacy rules everywhere else in other jurisdictions.

I am proud to say that the digital charter implementation act, which would enact the consumer privacy protection act, or CPPA, represents the most ambitious overhaul of Canada's private sector privacy regime since PIPEDA was first introduced, in 2000. CPPA would introduce significant changes to better protect the personal information of Canadians in the way they have been demanding, including, of course, with strong financial consequences for those who do not follow the law.

Prior to PIPEDA, in the 1990s, other countries around the globe introduced new laws to ensure that privacy was protected and that the opportunities afforded by e-commerce and the flow of information around the globe flourished. In particular, the EU introduced a privacy directive for its member countries to implement into their national laws.

Inspired by the EU law, Quebec introduced the first private sector privacy law in Canada in 1994. This was an important step forward, but it also raised the potential and, of course, the prospect for a patchwork of provincial privacy laws. With the prospect of multiple, possibly conflicting, rules and gaps in privacy protection that could harm Canadians, the federal government needed to act. Canada required a national privacy standard to ensure consumer confidence and regulatory certainty for businesses.

At the outset of the new millennium, PIPEDA was created to address the privacy concerns arising from a period of technological disruption fuelled by the rise of the Internet. It provided a framework with robust privacy protections and the flexibility to support the legitimate needs of businesses to use personal information. It also provided a mechanism by which the provincial private sector privacy laws could be considered substantially similar. This meant that where such a law is accorded that designation, PIPEDA does not apply to an organization's activities within a province.

In 2004, Alberta and British Columbia passed private sector privacy laws that are considered substantially similar, as is Quebec's law. A number of newer provincial health information laws have also passed, since 2005, that have been appropriately designated as substantially similar.

PIPEDA would continue, however, to apply to the federally regulated sector in a province and to any personal information collected, used or disclosed in the course of commercial activities across provincial borders. This provided a stable regulatory environment and flexibility for the provinces, and supported Canada's trade interests for many years.

However, today we are faced with a changed environment. Today, in many ways, history is repeating itself, but the risks have evolved. The role of digital technologies is considerably more central to our lives than it was 20 years ago. Just consider our experience in recent months with the pandemic. To harness all that the modern digital world has to offer, we clearly needed to modernize our federal private sector privacy law.

In a globally connected economy, our laws needed to be consistent with those of other jurisdictions. Internationally agreed privacy rules, such as the OECD privacy guidelines, first introduced in 1980, were updated in 2013. So too, I might add, more recently, was the APEC privacy framework. Indeed, privacy laws based on these international norms have been changing and advancing in Europe, Japan, South America and New Zealand.

What have these changes entailed? Core privacy principles have remained, though some have been expanded, such as accountability and breach reporting. New elements, such as enhancing rights of erasure and mobility rights, a greater emphasis on transparency, more certainty for businesses and consumers through codes certification and stronger consequences for non-compliance, have been the principal hallmarks of many of these evolving changes.

Closer to home, this summer, Quebec introduced amendments to its private sector privacy law, and B.C. recently conducted a study on its own laws. Ontario too is considering introducing a new private sector privacy law. Stakeholders have told us they are worried about the burden of multiple laws with different requirements. They demanded harmonization here at home.

There is a clear need for the progress and reforms included in the digital charter implementation act, 2020. If we do not act, there is a risk of further fragmentation of privacy rules across the country. We need to keep up with changing technology and business practices, and incorporate the best international practices, protocols and safeguards in our own domestic laws. We also need to set a common standard for privacy protection for the private sector across Canada.

Like the current PIPEDA, the new CPPA would be grounded in the federal trade and commerce powers. It recognizes the very importance of doing business on a national basis and in an economy that must work across provincial boundaries. Also, like PIPEDA, it would provide for a mechanism to recognize provincial laws that are substantially similar. These regulations would set out the criteria and process for such recognition or for reconsideration of it, and would continue to provide the provincial flexibility that has been important to PIPEDA's success. CPPA, like its predecessor, would maintain the Privacy Commissioner's ability to collaborate and co-operate with his or her provincial counterparts, an important tool to ensure consistency.

As the minister emphasized earlier today, the focus should always be on compliance. Some ask why we cannot have just one national law. The answer, of course, is that Canada is a federation; there is a division of powers. Indeed, the provinces provide important coverage that a national law cannot, under our Constitution.

I would be remiss if I did not also acknowledge the international context.

We live in an interconnected world. Data are constantly flowing across borders. In 2002, the European Commission recognized PIPEDA as providing adequate protection relative to EU law, allowing for the free flow of personal information between Canadian and European businesses. However, in 2018, a new EU regulation came into effect: the General Data Protection Regulation. It updated many of the existing requirements and added strong financial penalties for contraventions. The EU is currently reviewing its existing adequacy decisions, including the one applying to Canada.

That is why the government launched Canada's digital charter in 2019. Its 10 guiding principles offer a firm foundation on which to build an innovative and inclusive digital and data economy. The principles of ensuring interoperability, a level playing field, strong enforcement and real accountability are clearly reflected in the digital charter implementation act.

I want to thank members for their attention today, and I can assure them that our approach to privacy protection respects the privacy rights of Canadians. It is pragmatic, principled, meets our trading needs and provides a consistent, coherent framework that Canadians and stakeholders can rely on.

With Bill C-11, we will continue to encourage trade and investment and grow an economy that extends across provincial and international borders alike.