Mr. Speaker, I rise today to join my colleagues in speaking to the digital charter implementation act, 2020.
In today's ever-changing digital environment, Canadians have demanded better protection of their personal information. They have also demanded that organizations be held accountable for misusing their information. Stakeholders have told us that they want flexibility to innovate responsibly and want consistency with privacy rules everywhere else in other jurisdictions.
I am proud to say that the digital charter implementation act, which would enact the consumer privacy protection act, or CPPA, represents the most ambitious overhaul of Canada's private sector privacy regime since PIPEDA was first introduced, in 2000. CPPA would introduce significant changes to better protect the personal information of Canadians in the way they have been demanding, including, of course, with strong financial consequences for those who do not follow the law.
Prior to PIPEDA, in the 1990s, other countries around the globe introduced new laws to ensure that privacy was protected and that the opportunities afforded by e-commerce and the flow of information around the globe flourished. In particular, the EU introduced a privacy directive for its member countries to implement into their national laws.
Inspired by the EU law, Quebec introduced the first private sector privacy law in Canada in 1994. This was an important step forward, but it also raised the potential and, of course, the prospect for a patchwork of provincial privacy laws. With the prospect of multiple, possibly conflicting, rules and gaps in privacy protection that could harm Canadians, the federal government needed to act. Canada required a national privacy standard to ensure consumer confidence and regulatory certainty for businesses.
At the outset of the new millennium, PIPEDA was created to address the privacy concerns arising from a period of technological disruption fuelled by the rise of the Internet. It provided a framework with robust privacy protections and the flexibility to support the legitimate needs of businesses to use personal information. It also provided a mechanism by which the provincial private sector privacy laws could be considered substantially similar. This meant that where such a law is accorded that designation, PIPEDA does not apply to an organization's activities within a province.
In 2004, Alberta and British Columbia passed private sector privacy laws that are considered substantially similar, as is Quebec's law. A number of newer provincial health information laws have also passed, since 2005, that have been appropriately designated as substantially similar.
PIPEDA would continue, however, to apply to the federally regulated sector in a province and to any personal information collected, used or disclosed in the course of commercial activities across provincial borders. This provided a stable regulatory environment and flexibility for the provinces, and supported Canada's trade interests for many years.
However, today we are faced with a changed environment. Today, in many ways, history is repeating itself, but the risks have evolved. The role of digital technologies is considerably more central to our lives than it was 20 years ago. Just consider our experience in recent months with the pandemic. To harness all that the modern digital world has to offer, we clearly needed to modernize our federal private sector privacy law.
In a globally connected economy, our laws needed to be consistent with those of other jurisdictions. Internationally agreed privacy rules, such as the OECD privacy guidelines, first introduced in 1980, were updated in 2013. So too, I might add, more recently, was the APEC privacy framework. Indeed, privacy laws based on these international norms have been changing and advancing in Europe, Japan, South America and New Zealand.
What have these changes entailed? Core privacy principles have remained, though some have been expanded, such as accountability and breach reporting. New elements, such as enhancing rights of erasure and mobility rights, a greater emphasis on transparency, more certainty for businesses and consumers through codes certification and stronger consequences for non-compliance, have been the principal hallmarks of many of these evolving changes.
Closer to home, this summer, Quebec introduced amendments to its private sector privacy law, and B.C. recently conducted a study on its own laws. Ontario too is considering introducing a new private sector privacy law. Stakeholders have told us they are worried about the burden of multiple laws with different requirements. They demanded harmonization here at home.
There is a clear need for the progress and reforms included in the digital charter implementation act, 2020. If we do not act, there is a risk of further fragmentation of privacy rules across the country. We need to keep up with changing technology and business practices, and incorporate the best international practices, protocols and safeguards in our own domestic laws. We also need to set a common standard for privacy protection for the private sector across Canada.
Like the current PIPEDA, the new CPPA would be grounded in the federal trade and commerce powers. It recognizes the very importance of doing business on a national basis and in an economy that must work across provincial boundaries. Also, like PIPEDA, it would provide for a mechanism to recognize provincial laws that are substantially similar. These regulations would set out the criteria and process for such recognition or for reconsideration of it, and would continue to provide the provincial flexibility that has been important to PIPEDA's success. CPPA, like its predecessor, would maintain the Privacy Commissioner's ability to collaborate and co-operate with his or her provincial counterparts, an important tool to ensure consistency.
As the minister emphasized earlier today, the focus should always be on compliance. Some ask why we cannot have just one national law. The answer, of course, is that Canada is a federation; there is a division of powers. Indeed, the provinces provide important coverage that a national law cannot, under our Constitution.
I would be remiss if I did not also acknowledge the international context.
We live in an interconnected world. Data are constantly flowing across borders. In 2002, the European Commission recognized PIPEDA as providing adequate protection relative to EU law, allowing for the free flow of personal information between Canadian and European businesses. However, in 2018, a new EU regulation came into effect: the General Data Protection Regulation. It updated many of the existing requirements and added strong financial penalties for contraventions. The EU is currently reviewing its existing adequacy decisions, including the one applying to Canada.
That is why the government launched Canada's digital charter in 2019. Its 10 guiding principles offer a firm foundation on which to build an innovative and inclusive digital and data economy. The principles of ensuring interoperability, a level playing field, strong enforcement and real accountability are clearly reflected in the digital charter implementation act.
I want to thank members for their attention today, and I can assure them that our approach to privacy protection respects the privacy rights of Canadians. It is pragmatic, principled, meets our trading needs and provides a consistent, coherent framework that Canadians and stakeholders can rely on.
With Bill C-11, we will continue to encourage trade and investment and grow an economy that extends across provincial and international borders alike.