Bill C-11 (Historical)

Mr. Speaker, agriculture and data is a growing area of expertise. I would just point out that if someone goes to a John Deere dealership today, one of the things they will see there is a dirt probe. I used to think that John Deere just sold tractors, but today they sell a moisture probe with a weather station on top of it. They will set that up in the field so that a person, via satellite and cellphone, will get real-time information about the soil conditions, soil nutrients and weather conditions of the fields, which may be scattered around the country.

Martin Deerline, the John Deere dealer in my area, has a whole suite of those data collection agencies. People have to pay a particular monthly fee for that service. Where that data goes and how it is all managed, I am sure, is covered by this bill.

I look forward to hearing from them at committee.

Mr. Speaker, I would like to start by saying that I will be splitting my time with the member for Richmond Hill.

I am speaking here on the traditional unceded lands of the Algonquin people.

At the outset, I want to thank the Minister of Innovation, Science and Industry and his team for bringing forward Bill C-11, an act to enact the consumer privacy protection act, CPPA, and the personal information and data protection tribunal act. These are important aspects as we, as a country, address the issues of privacy in relation to the enormous amount of information that is constantly gathered, and exists about all of us.

We are in an age when with a cellphone we have more information at our disposal than several libraries put together. We are able to access personal information about virtually anyone who has a public profile, and certainly about anyone who has created a profile in one of the major platforms, whether it be Facebook, Twitter, Instagram, TikTok or LinkedIn, and the list goes on.

These have posed obvious questions for all of us as policy-makers or even as individual consumers in terms of how this information is used, how it is reproduced, copied and misused. We have seen the worst of it over the years in platforms like Facebook where information may have been reused over and over again.

At the centre of this legislation are three major aspects. First and foremost is consumer control over individuals' personal information that is out there.

Second, it is about innovation. I know the previous speaker spoke about the balancing act that we need in order to ensure free speech and privacy.

The third element is to make sure that innovation continues. Innovation is absolutely important for a country like Canada. I know many innovators in my community who have done exceptionally well. I have spoken about many of them here. The University of Toronto Scarborough campus has a hub in which many local innovators have come forward and have developed in my riding of Scarborough—Rouge Park.

Members may know of the company, Knowledgehook. It is a company founded by my good friend Travis Ratnam. The company was just given additional funding of $20 million to expand the program. It is a platform that allows students and teachers to work together to use AI, devise curriculum and make sure that the weaknesses of each student are highlighted to the teachers so that the teachers can respond.

In all of these new forms of technology, there are questions of privacy. We worry about the relationship between, for example, companies gathering data for the purpose of insurance, whether health, life, or auto insurance, and the data that sometimes is readily captured in our day-to-day use.

All of these issues have become pronounced during COVID. We see that education, for example, is now online for many students whose parents choose to have their kids study from home via the Internet; or for many post-secondary students who are studying virtually. I always go back to the University of Toronto Scarborough campus, which is located in my riding, but there is also Centennial College, where most of the students are learning virtually. These again have complicated the challenges for ensuring that privacy is maintained.

The digital charter that is before us does really allow for consumers to have control over their personal information, and it allows for innovation and a strong enforcement oversight. Sadly, the enforcement aspect has been quite weak in Canada over the years. We do not have adequate enforcement. In fact, technology itself is hard to enforce, whether in Canada or other parts of the world.

The enforcement mechanism that is built into this legislation is critically important for us to look at. It is what makes this legislation accessible to individuals who may have a complaint. The enforcement mechanism looks to have individuals appointed through the order in council process.

I want to speak about the way our government, since taking office in 2015, has managed to put together proper processes to appoint individuals to these important bodies, including judiciary and administrative tribunals, but also other bodies that make critical decisions.

We are focused on ensuring a merit-based system that ensures the individual is fully qualified to make decisions on a particular issue. For me, my work on the Standing Committee on Immigration and Refugees was a great learning experience. I saw first-hand how the IRB was transformed from a patronage-based appointment process to one that is merit-based. We see decisions coming out of the IRB that are fully reflective of the quality of candidates we put on those boards.

When we look at appointments, it is meritocracy, but also diversity. We note that in previous governments, judicial appointments have often been focused on men. In fact, in the last several years, we have now achieved gender parity. We are looking at enhancing that and we are working toward greater diversity among other groups in Canada, including people with disabilities. I believe the enforcement mechanism is critical and we have taken concrete steps in that regard.

To note, there are monetary penalties that this tribunal could issue. For example, there is a penalty of 3% of global revenue or $10 million for non-compliant organizations. For a company like Facebook, Google or one of the major outfits, 3% of their global revenues is significant. The maximum penalty is 5% of global revenue or $25 million for certain types of contraventions.

The government and the Minister of Innovation have brought forward a very important piece of legislation. It appears to have the support of all parties. I am particularly impressed with the data protection tribunal act that is built into this bill and the mechanisms that allow for individuals to access the type of redress that is required.

I look forward to questions from my friends opposite.

Mr. Speaker, this is an interesting piece of legislation. One of the questions that was posed earlier in the debate had to do with the fact that political parties are omitted from this legislation and that their use of personal information is not considered. The response provided by the Minister of Industry earlier was that the bill really deals with commercial uses of data, yet I read in the index of the legislation that it also deals with “statistical or scholarly study or research”, “Records of historic or archival importance”, and “artistic or literary purposes”. These are clearly not commercial uses.

Does the member agree that it is an omission that political parties are not dealt with by the bill?

Mr. Speaker, I think many of us have been watching elections overseas in the last several weeks, and I am quite impressed with our Chief Electoral Officer and Elections Canada, which is an independent body that regulates elections. I believe that Elections Canada is well suited to be the arbiter of these issues, particularly with respect to elections. It is definitely an area that our Elections Commissioner will take note of in the coming years.

Mr. Speaker, to pick up on that point, whether it is Elections Canada or the commissioner, there is opportunity to ensure that these lists are protected, and there are instructions given out to parties, candidates and people who are recipients of the data.

I do not know, but this may be a better question to ask to the members who put forward the question, whether or not Elections Canada has actually solicited this sort of a recommendation. I am not necessarily aware of it, but I would be very much interested if in fact members of the New Democrats or the Bloc, who have raised this issue, have been in talks with Elections Canada. This is more of a comment than anything else.

My question to my colleague is more in terms of getting this type of legislation forward and how it would help individual Canadians and businesses going forward, because through this legislation, we would see new regulations to protect our interests. Would he not see that as a very strong positive for all of us?

Mr. Speaker, every candidate who puts forward their name signs a declaration with Elections Canada about privacy and on the information that we receive from Elections Canada, and so I think that there are mechanisms in place with Elections Canada to address some of the privacy concerns.

Obviously, with respect to this particular piece of legislation, I do want to reiterate the enforcement mechanism, which is critical, but enforcement sometimes is inaccessible to the average Canadian. I believe that the tribunal process that is set up here would allow individual Canadians to access some closure and support for challenges that they may have with a breach of privacy.

Mr. Speaker, it is an interesting point that was raised about Elections Canada.

I believe that Elections Canada has strong rules around the use of the voters list, but, of course, political parties collect personal information using so many other means. It is the regulation of that other information that is particularly germane and could be covered under this piece of legislation, which is something that we have been pushing for.

Could the member comment on the omission of any treatment of that kind of information?

Mr. Speaker, I believe these are the types of questions that ought to be brought up at committee, and I do think that it is a valid concern. Again, back to Elections Canada, when we look at the governance of political parties, at third party advertising and all the different measures that our government in the last Parliament and previously has put forward, I do think that Elections Canada is best equipped to address the issues of privacy, which are absolutely valid. I appreciate the question, but I do think it should be within that purview.

Mr. Speaker, I am pleased to rise today to speak about the digital charter implementation act, 2020. I want to talk specifically about the balanced approach to the compliance and enforcement set out in the consumer privacy protection act, also known as the CPPA.

Canadians have told us they want to see strong consequences for those who mishandle their personal information. Financial consequences can be an important tool in protecting Canadians’ privacy, but so is helping organizations comply with the law at the outset.

I am pleased to say that the CPPA takes a very balanced approach to compliance and enforcement. It would help companies get privacy right from the ground up, and takes a phased approach to enforcement to correct problems as soon as they are discovered. The CPPA would incentivize organizations to get their practices right from the start, and the Privacy Commissioner would have a prominent role in supporting these organizations.

Under the CPPA, businesses would be able to approach the Privacy Commissioner for a no-risk review of their privacy management program and help them comply with the law. The commissioner could also ask to review their business programs, without using what he finds in an enforcement action. This is a very important step in early correction of problems. Under the current privacy regime, companies subject to the law are already required to establish a privacy management program, which would be maintained in the CPPA.

Privacy management programs can cover a wide range of issues, such as how companies handle service providers or third parties that support their businesses, how they respond to security breaches, privacy risks assessments, mitigation measures undertaken, and so on.

However, what is new is enabling the Privacy Commissioner to have a look at these policies and practices outside of an investigation. This would provide a safe space in which the commissioner could provide advice and companies could quickly take action. At the same time, the commissioner would benefit from examples of the challenges organizations are facing and their needs in the privacy space.

We know Canadian companies, especially smaller ones and those starting out, will be very interested in these changes.

The CPPA would also recognize not all organizations are the same. Some deal with minimal amounts of personal information, and for others it is central to their business model. Therefore, the CPPA would allow organizations to develop their programs according to the volume and sensitivity of the personal information they handle, as well as a company’s revenues.

The Privacy Commissioner has had a long-standing role in undertaking research and publishing guidance. The Minister of Innovation, Science and Industry has also long had the ability to ask the commissioner to conduct research on privacy issues. This ability would remain in the CPPA. However, the minister would now be able to ask the commissioner to conduct research into the implementation or operation of the act. This would help the government know how well the law is functioning.

The Privacy Commissioner has prepared a lot of guidance materials over the years. We support this vital role. We want to reinforce a long-standing practice of the Privacy Commissioner to consult with stakeholders in guidance development. This practice would now exist in law so that guidance can be informed by what is happening on the ground.

The Privacy Commissioner would also consult with government institutions where relevant. There may be times when government policy may be implicated, such as with trade policies or public health.

These past months have shown us how vital it is for federal organizations to have a unified response on our most pressing challenges. By legislating, we are providing certainty to Canadians that guidance has been discussed with those on the ground.

I have stated how the bill would ensure organizations build privacy considerations from the start. Working with organizations and giving guidance individually is a fundamental role of the Privacy Commissioner. We want to avoid any problems, but there will be organizations that do not get things right.

The law provides individuals with the right to challenge an organization’s compliance with the law, and it allows them to file complaints with the Privacy Commissioner. This is an important exercise of their privacy rights, and the Privacy Commissioner retains his ability to initiate a complaint investigation where there are reasonable grounds to do so. The CPPA would also encourage the resolution of problems as early in the process as possible, and the bill would provide for dispute resolution.

Compliance agreements, a new tool introduced under PIPEDA, would remain in the CPPA. Companies are encouraged to come to the table to work out an agreement with the commissioner, without resorting to more formal measures such as orders. If no resolution is possible under PIPEDA, the commissioner would make recommendations at the end of an investigation and the matter may go to court. The court would then start again, with a new proceeding, and maybe it would issue an order. Few cases have gone that route, however.

Under the CPPA, the commissioner would be able to issue orders as well. To ensure fairness, a new process, called an inquiry, internal to the Privacy Commissioner’s office, would be introduced prior to issuing orders. Once the inquiry is over, the commissioner would issue his findings and decisions and may make orders to an organization to change its practices to bring it into compliance.

The Privacy Commissioner may also recommend administrative monetary penalties, or AMPs, to a new tribunal for certain contraventions of the CPPA. The personal information and data protection tribunal would hear any appeals of the commissioner’s decision and, if required, would decide whether to issue an AMP and, if so, the amount.

In our consultations, many industry stakeholders expressed concern over AMPs, which have the potential to significantly affect an organization’s bottom line and even put smaller companies out of business altogether. By introducing an inquiry phase before issuing orders, and by separating the imposition of AMPs from the commissioner’s other responsibilities, the CPPA would support additional due diligence in decisions to impose AMPs.

We anticipate that some organizations will challenge the commissioner’s orders and recommendations. We do not wish to burden the courts. This is another reason for introducing a new tribunal. It is intended to be less formal than the court and ease access to justice for organizations and individuals. After the tribunal issues a decision, if an organization or individual wants to, they could proceed to federal court and request judicial review.

As my colleagues can see, overall this is a very balanced and phased approach. The CPPA would place strong emphasis on proactive compliance activities, such as reviews of the privacy management programs, guidance development and consultation. When there are possible contraventions, the goal is resolution. If that cannot be achieved, matters would become more formal. This graduated approach to enforcement is built on the foundations of fairness, transparency and meaningful opportunities on all sides to achieve compliance, which is what we know Canadians want.

Many have said that Canada’s private sector privacy law needs more teeth. The digital charter implementation act, 2020, would give it that, and it would do it in a way that organizations that want to do the right thing have the incentive to do so from the start.

I am thankful for the opportunity to speak about how this important bill works to address Canadians' concerns in a measured way.

Mr. Speaker, I want to speak to my friend about the enforcement mechanisms. What are the major aspects of them that would allow individual consumers to get results through a complaint process?

Mr. Speaker, first of all, I want to thank the member for sharing his time with me and for his great intervention earlier.

I noticed the member talked extensively about enforcement. He highlighted that the legislation would provide administrative monetary penalties of up to 3% of global revenue or $10 million for non-compliant organizations. Also, it contains an expanded range of offences for certain serious contraventions of the law, subject to the maximum of 5% of global revenue or $25 million.

These are some of the enforcement mechanisms that will be accessible once the process has been completed.

Mr. Speaker, does the member believe there has been adequate consultation regarding this legislation, particularly with the provinces that have their own privacy acts covered under PIPEDA?

Mr. Speaker, I believe that yes, there has been sufficient consultation. The genesis of the bill goes back to 2000, and through the progress of time, there have been a number of consultations, in 2017 and 2019.

As the member is quite aware, a number of provinces have legislation equivalent to PIPEDA or the CPPA. The most important thing is that all levels of government are working together to ensure that the privacy of individuals' personal information is protected.

Mr. Speaker, I will ask the same question I previously asked another hon. member. It is about data security.

The bill targets private companies. With the CERB, we recently saw that hundreds, perhaps thousands, of people were victims of fraud. When they receive their notice of assessment in April or May, they will learn that they owe money because they did not qualify for the CERB and collected it illegally.

If the government is working on cleaning up privacy laws in the private sector, why not put its own data protection system in order?