Bill C-11 (Historical)

Mr. Speaker, it is a great opportunity to rise today to speak to Bill C-11.

We are surrounded by data that seems to be out of control, lost by corporations, sometimes stolen from governments. Data that we voluntarily give up about ourselves is being collected billions of bytes at a colossal rate. It has a tremendous impact on our privacy and what is being calculated or inferred about us in our daily lives, such if we have a good credit rating, or if we can buy a car or when we go for drinks with a colleague. All of this is very much apparent today, particularly during this health crisis when people are definitely at home and using the Internet to a greater extent.

Everything we do today has some impact on data. Whether we take an Uber or order a meal, that data is collected. Quite frankly, we need to ensure people's privacy is protected.

Why does privacy matter? It is a question that has arisen in the context of this global debate, made worse by this pandemic, where millions around the world have come to rely on computers to carry out a function for their very lives. When we hear arguments about Internet privacy. A lot of what we hear about this mass surveillance is that there is no real harm due to this large-scale invasion, that people have nothing to hide. Those engaging in bad acts have a reason to want to hide and care about their privacy.

This is presupposed on the assumption that there are good and bad people in the world. Bad people who plot to take down governments and plan public attacks are the people who have reason to care about their privacy. By contrast, there are good people, people who go to work, pay taxes, care for their children and use the Internet, not to plot civil destruction but to read the news and find recipes. These people are doing nothing wrong and have no reason to hide.

In a 2009 interview of the long-time CEO of Google, Eric Schmidt, when asked about the different ways his company was causing the invasion of privacy for hundreds of millions of people around the world, he said, “If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.” There are many issues with this statement, one being that this is the very Eric Schmidt who blocked his employees at Google from speaking with the online Internet magazine CNET after it published an article full of personal private information, which was obtained exclusively through Google search and Google products.

A few short decades of the Internet, once held as an unparalleled tool of democracy liberalization, have been converted into an unparalleled zone of mass indiscriminate collection. Enter 2018, when the EU has set the global standard for privacy regulation with the flagship general data protection regulations, known as GDPR, signalling to Canada that our 1990s era of the Personal Information Protection and Electronic Documents Act did not have the teeth to take on big tech.

Bill C-11 would bring in additional privacy regulations. Replacing PIPEDA with CCPA would provide an opportunity for greater detail within the law rather than just relying on the interpretations of the Privacy Commissioner. This is a good thing.

The structure will include a personal information and data protection tribunal that will play a key enforcement role by reviewing all commissioner decisions and issue penalties for non-compliance. There will be an expert tribunal composed of three to six members, but interestingly enough it says there may be only one expert, which may be a deficiency in the act.

What are these new privacy rights? One is data mobility. Subject to regulations, on the request of an individual, an organization must, as soon as feasible, disclose the personal information that is collected from an individual and to an organization designated by the individual. Data mobility is a fact of life and this is a good thing. What format that data will be transferred in will need to be discussed.

On algorithmic transparency, if the organization has used an automated decision process to make a prediction or recommendation, then the organization must, on the request of an individual, provide an explanation of the prediction, recommendation or decision and the personal information that was used to make the prediction. It seems like a reasonable intent and is something it should be able to do without giving up the code.

With respect to de-identification, the bill states:

An organization that de-identifies personal information must ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified...

Then there is the new enforcement. The Privacy Commissioner of Canada will have the order-making power that will enable the office to order compliance with the law and recommend significant penalties.

I should mention I will be sharing my time with the member for Calgary Centre.

In some cases, the recommended penalties are the highest in the G7, so they are significant. The expanded range of offences for contraventions of the law are a maximum fine of 5% for a global revenue of $25 million. There are administrative penalties as well.

One of the issues I see with this is that the legislation and penalties invoke fear, but there will be a question of whether there is adequate teeth for enforcement.

The law includes whistleblowing provisions that protect those who have disclosed alleged privacy non-compliance and a private right of action that will allow individuals to seek damages for loss or injury suffered through privacy violations.

There are new standards of consent. This has been a big issue for individuals. How many people have signed up to a site, with three pages of disclosure to which they are supposed to consent? I would argue that very few people will actually read that kind of detail. Therefore, there is an attempt within the legislation to use clear language and simplified consent. Given the depth of the legislation, that may be a difficult thing to achieve, but is a worthwhile goal.

Deceptive practices to obtain consent with false or misleading information renders the consent invalid and individuals can withdraw their consent at any time. There is the question of whether people are providing consent for multiple activities or just an individual activity. That should be clarified.

The realm of data is largely uncharted territory and we find ourselves asking the question of who owns our data. Our opinion is that people own their data and they should own their data.

The word “consent” is mentioned 108 times in the GDPR. In the first reading of Bill C-11, it was mentioned 118 times. This sounds great. Who could possibly be against the consent of data? Challenging consent seems counterintuitive in the world of privacy because it is so linked to us and our autonomy. However, it is both impractical and undesirable and serves to explain why our privacy law is in such a sorry state. It is imperative the legislation is written with as little room for interpretation as possible.

There are some standards within that bill. It states:

An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for a business activity described in subsection (2)...

Under that subsection, it states:

(a) a reasonable person would expect such a collection or use for that activity; and

(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.

The issue is this. If that is subject to interpretation, we could have a pretty broad interpretation of what it says. Hopefully this act, with the regulations that follow, will clearly define what is in and what is out.

At the end of the day, if we are using services, many services are disrupting, shaping and helping our lives in ways we could not have possibly imagined mere decades ago. Whether we like it or not, it is big tech that has provided these realities for us and the government should, as with any other key stakeholder, create meaningful, effective and collaborative policy but require consultation. It is one thing to consult in front, but now that we have legislation, we need to ensure we get it right. We need to ensure that industry, particularly small businesses, remain competitive. The bill is being sent for review to the privacy and ethics committee. There is a strong argument that industry committee should have a look at this bill as well.

Therefore, proper consultation must happen. There is nothing wrong with doing that. I hope the government will ensure the bill is properly consulted on.

Mr. Speaker, I want to pick up on the issue of enforcement. Could the member talk to us about the elements of the bill that are critically focused on enforcement and what, if any, changes could we look at to strengthen it? It is a very strong starting point, one that will make complaints accessible to the average consumer. I would like my friend's comments on that.

Mr. Speaker, what is in the act, with the increased fines, certainly provides somewhat of a deterrent. People are going to look at those fines. Then it becomes the reality of how do we ensure we enforce those fines. This is a new system with this tribunal. It looks like there is the potential for it to have more lay persons on it than actual experts in the field, which concerns me. I am concerned that this is the fear of enforcement to try and derive the result needed. There have to be adequate provisions within this act to ensure bad players are held accountable.

Mr. Speaker, the regulation-making power we give the government through legislation, in some sense, requires us to trust the government to put those regulations in place in a way that respects the public interest. The challenge we have when it comes to privacy is the that government does not have a great track record with respect to its own actions and its respect for privacy. This raises some concerns about whether we trust the government to enact these regulations in an effective way and properly enforce them.

Does the member have further comments on that?

Mr. Speaker, I have the same concerns. The track record is not there with the government as it relates to privacy. We have seen this in a variety of different areas where it has not taken this sort of thing serious. That is all the more reason the bill needs significant review to ensure we get it right.

Mr. Speaker, on that particular point, I would remind the member opposite that the legislation before us today went through a lengthy process of having all forms of consultations with many different stakeholders, industry leaders and even our standing committee, which has also incorporated many thoughts within the legislation.

I have heard that in the last two years information on the Internet has almost doubled. We can only imagine what it will be two or three years from now. This type of legislation is badly needed and it is a good starting point at the very least. Would the member not agree?

Mr. Speaker, absolutely, it is valuable, but it really raises the question about why the Liberals would prorogue Parliament. Why would we not get on with these things? This is the kind of legislation that has been delayed. The government has been studying it. It is one thing to take consultation before developing legislation, but it one's interpretation of what was heard from the consultation. Until we actually hear from people on what they think, now that they see this legislation in writing, we cannot necessarily determine if it will get to the goals to which we aspire.

Mr. Speaker, another concern I hear from Canadians is about threats to their privacy from foreign actors, perhaps foreign state actors, and the need for the government to respond to that threat.

Does the member have a comment on how the legislation would impact concerns about foreign threats to our privacy?

Mr. Speaker, there are no specifics in this particular act that would deal with that directly. That is all the more reason this particular piece of legislation needs more study.

Mr. Speaker, today, I rise to give my input on Bill C-11, the digital charter implementation bill. I am happy to give this input. It is a timely bill for Canadians because this bill is about access to people's information and, more important, how that information is monetized by others. At a time when big corporations around the world are earning billions of dollars very quickly from information, getting in front of this issue right now for Canadians is very important.

What is being sold? Canadian information is being sold. What do Canadians privately own of their own data? This is the question that should be addressed in this bill. The converse of this, of course, is the targeted marketing and what Canadians get from the fact that they are giving away their information so they are getting back more services that might be tailor-made to them. It is one of those areas where the intent of Canadians not to give away their data and the result of that data that they willingly gave away, in many instances can be very contradictory. Let us tell Canadians first, as my colleague said here earlier, that they are the product.

Phones are listening to us. Computers are listening to us. Sometimes, computers are watching us. Sometimes, when my sons at home have Siri on, they say, “Siri, turn on”. Siri comes on and I tell them, “Siri was listening the whole time because it just turned on when you told it to turn on.” A lot of information is being culled. We do not know which of that is resting with us, and which of that is public information to be monetized by somebody else.

When I read this bill, I saw a bureaucratic solution designed by bureaucrats for use by bureaucrats, with what will be minor effect for the Canadian population in general. As much as we would like to make sure that we actually do deal with the issue around Canadians' private information that is provided online, we do need to make sure that it applies consistently across our country. It is a bubble created by a bureaucracy, and that bubble is lacking any consequences for mistakes and those mistakes will happen within the bureaucracies of the Government of Canada. In essence, from the Government of Canada's level, everything in this bill shows a complete lack of accountability for the government about how it might misplace or misuse Canadians' data.

I recall, years ago, the government's approach to what was the no-call list. There was a lot of telemarketing going on at the time and the government came out with a solution. If people registered their phone number it would ensure they did not receive telemarketing. We all jumped on that because on our land lines at the time we were getting a lot of telemarketing. When that registration came up, of course my land line was registered and it said to put in my cellphone number too. I put in my cellphone number, and the next day I started receiving telemarketing on my cellphone where I never had before. What apparently happened is the Canadian government's site had been hacked and all that information was sold to telemarketers. It is a shame because it got no money for it. My information was given away for free and a whole bunch of telemarketers got something from the Government of Canada that was literally stolen from Canadians. Therefore, my data was somebody else's, without my consent, as a result of my contribution to the Government of Canada.

Consumer pricing protection is something that would fall in the same type of realm. How do we make the Government of Canada accountable for what might happen with the data that we willingly give the Government of Canada? Will there be fines? Do we actually tell the Government of Canada that if it does not protect this information the Canadian government is going to fine the Canadian government and therefore the taxpayers are going to have to contribute to the government's fining itself? It is a bit of an around-the-world kind of trip, much like quantitative easing.

The problem is, who has this information about me? I do not know, but the party I am forced to disclose the most information to, that I know about, is the Government of Canada.

Let us discuss how stopping that government body in charge of the information I provide is mishandled. That would be the Canada Revenue Agency more than anybody else. It has my financial information, all kinds of dates and my social insurance number. Frankly, having dealt with it for years, it is a disaster of an organization. It has the wrong information. It processes information badly. It is the worst organization to try and fix bad information. That is the Canadian government.

Let us look at what happened in the last handful of months here with the CERB. Data was pilfered and Canadian payments during a pandemic were misdirected. How much of the $400 billion spent is legitimate and how much is as a result of data hacks that went to the wrong entities? Canadians are paying for these mistakes. Canadians are paying now and Canadians are going to continue paying for generations.

The legislation looks like it is designed for large organizations. Let us start with banks. Banks are another organization that we provide a lot of information to and they have a lot of information about us because they handle our financial information. They know how much we are worth, they know how much we have on deposit and they know how much we owe on our mortgages. They are pretty deep as far as what they understand about us.

There are all kinds of small businesses here, as well, that we need to apply. I want to read from this legislation something that should scare any small business person. This is about privacy management programs as required under this legislation. It states:

Every organization must implement a privacy management program that includes the organization's policies, practices and procedures

It further states:

the organization must take into account the volume and sensitivity of the personal information under its control.

What does that mean and how do we interpret that? Further, an organization:

must ensure, by contract or otherwise, that the service provider provides substantially the same protection

They have to ensure something nebulous is provided by their service provider when forwarding information.

Let us get on the ground here. Someone can walk into a pharmacy and that pharmacy wants the Alberta health care number, which is private government information. The retailers want that information so they can continue to track certain things someone does. They know how much of a person's spending they have and they know how much they can market other products to that person if getting some kind of prescription. Government data is quickly translating over into retail data. That is not exactly something we want to provide.

I will go further here because seniors are the people most affected by this. There are so many seniors who are bearing the brunt of the pandemic. There are issues we go through as we age, including financial institutions, insurance companies and all service provides. Many take advantage of seniors in many respects because things get very complex. We want to make sure our seniors are taken care of in a system that continuously evolves, advances and gets more complex. That is something this legislation should take care of more than anything else.

I do not like being just critical. There are also good things in this legislation and I am going to point them out. The purposes of this legislation are that an organization must determine:

each of the purposes for which the information is to be collected, used or disclosed and record those purposes.

The information for consent is also required. Forms of consent are also defined within. The withdrawal of consent is there, as is the disclosure to cease that actual consent.

Another good thing is there is a period for retention and disposal of data that we provide organizations. An organization must not retain personal information for a period longer than necessary. These are very good advances in the legislation. I thank the drafters of the legislation for that.

I have questions on some of the other parts of this legislation as well. On the transfer of information to service providers, organizations may transfer an individual's information to a service provider without the client's knowledge or consent. They would still be monetizing data that gets collected by one retailer or provider and—

Unfortunately, time is up. I have been giving the member a bit of leeway.

The hon. parliamentary secretary to the government House leader.

Madam Speaker, I am encouraged that the Conservative Party has seen the value of the legislation to the extent that it wants the bill to go to committee, at which I anticipate amendments will be brought forward.

Could the member provide further thought about the implications that have been suggested with respect to the Government of Canada. Does he feel there needs to be specific amendments related to the Government of Canada? Does he want the Privacy Commissioner to do more? What specifically is he thinking about? He referenced programs like the CERB and so forth.

Madam Speaker, there are significant penalties in the bill, such as $20-million, $25-million or $30-million fines or 3%, 4% or 5% of global revenue from an organization. These are going to be pretty significant organizations if we are talking about global revenue. To this point in time, I have not seen how the government calculates global revenue, but I am curious. These types of things do not apply to ma and pa shops and people on the ground collecting information. It is geared toward large organizations.

A question arises from that. We are talking 3% or 5% of global revenue that would flow to the Government of Canada for a transgression as opposed to an individual who lost data. Who still owns the data would be the big question.