Bill C-11 (Historical)

Madam Speaker, I want to thank my hon. colleague for giving a great speech. It seems like nine years ago that we sat on the ethics committee, but I think it was only three years ago. We use the number nine a lot in the House.

Today, I want to speak about why nations fail. To quote Acemoglu and Robinson, “Nations fail today because their extractive economic institutions do not create the incentives needed for people to save, invest, and innovate.” As a whole, that also includes privacy: the right of businesses to operate and the freedom of citizens to operate.

We can go all the way back to something I am very fascinated with. North America and South America were founded around the same time, but how did North America end up becoming so rich and wealthy and South America did not? It comes down to those same pillars. We allowed freedom to operate. We allowed freedom for patents to be developed, especially in the Industrial Revolution. We allowed people the freedom to have their own land, to have privacy on their own land and to own businesses with patents, allowing privacy for those businesses to operate, to get investments and capital and to grow.

What we saw from that was a tremendous amount of wealth, more wealth than the world had ever seen. It formed a capitalist society that allowed wealth to be owned by individuals. People who used to be poor became wealthy, and that allowed a nation like Canada to have socialist capitalism. With this tremendous amount of wealth, there was the ability to have socialist programs like a universal health care system.

When we do not follow the narrow corridor, and it is a very narrow corridor, not only with liberty but also with capitalism and socialism, and we stick with the fundamentals of privacy, investment, free capital and patents, we lose the wealth of the nation. With that, the citizens suffer.

After nine years, we are seeing that reality here in Canada. We have the worst housing crisis this country has ever faced. Rents have doubled. Mortgage payments have doubled. The amount needed for a down payment has doubled. Nine million Canadians are now food insecure. That is one-third of Canadians, and that number in the U.S. is barely 13%.

We see the problem with businesses fleeing this country. We talk a lot about what that means for AI and having great ideas. We also talk about IP, the currency of innovation. When we look at what happens in Canada, the numbers are startling. Canada files 40,000 patents annually compared to the 374,000 the U.S. files, and only 13 out of 100 patents are owned by Canadians. That means we give away over 87% of our patents to foreign nations; we give that data away.

When we look at what that means for the Americans, we see they generate 12 million jobs and $2 trillion from patents and IP. Of course, AI is among that. In Canada, that number is less. The best way to look at it is by using GDP per capita or income per capita. The GDP per capita for Canada is $53,000, compared to $80,000 for the U.S., more than a 36% difference. We have seen less capital and less ability to invest, save and innovate.

We can couple that with the problems with the business investment and productivity we have seen in Canada and the lack of privacy. Of course, the government has tried, but as with a lot of things, it has tried and failed. It presented Bill C-11 before the last Parliament and could not get it through. In this Parliament, it submitted Bill C-27, and at the last minute, it threw AI legislation in it called the AIDA. What happened at committee? I know the Conservatives get blamed for this, but at committee, the Conservatives, the Bloc and the NDP all came together to say this bill was terrible in the way it was presented. Even the Liberals were filibustering it in committee at one point.

We need these bills to work. The Conservatives have been steadfast that privacy is a fundamental human right, and not only privacy for individuals in Canada but privacy for our children. We know the results of not having the right legislation come forward and not having privacy protection in Canada. We saw it at the ethics committee two years ago when we faced the daunting speculation of privacy in facial recognition technology.

This technology was misused. A company called Clearview AI scraped images off the Internet, and we know how many images are on the Internet. It scraped everyone's face off the Internet and sold those images, which should not be owned by anyone.

Privacy is a fundamental right. However, the thing we have come to also understand about AI, which was discussed at committee but was not in the legislation, is that it should never be able to use someone's face or likeness without their permission. Those are the biggest problems we are having. The biggest thumbprint we have, the most unique thing about us, is our face. Our colleague from the NDP brought this up, but the main point that came up at committee about facial recognition technology was this: When this technology was used by the RCMP and our police forces in Canada in terms of marginalized and minority groups in Canada, Black women and Black men, the technology misread their face and misidentified them 30% of the time. That is terrible.

Technology is supposed to make things better, and we could not believe what we were hearing. Police representatives were at this committee multiple times and testified that it misidentified these groups 30% of the time. That is a failure; it is ridiculous. This is something that should not be used. We went through all the reports on ethics and brought the final report to Parliament two years ago, in October 2022, with the recommendation to outlaw this technology until it gets better.

Here we are today, two years later, and this technology has not been outlawed. It has been in place for two years since the ethics committee found that there were these breaches. It is terrible that these breaches have been happening for so long. Today, as we stand in Parliament, facial recognition technology, which we call digital racism, is still allowed to be used in this country.

Again, it follows the bigger problems we have with the government, and not only with the recommendations that come from committee. The government always talks about filibustering. These are recommendations in a report that could have been done without Parliament's consent, because it was enacted by Parliament and came to the House to begin with. Here we are two years later, and that has not happened.

Let us talk about all the other things that have not happened either. With respect to privacy, Bill C-27 is still in committee based on, again, the fact that the Liberals are filibustering their own bill. It is just terrible and needs to be redone. I think we all agree on the first part of PIPEDA and how that is going to be done. The Liberals do not, but we agree that the tribunal should be eliminated and that more power should go to the Privacy Commissioner. Again, those privacy breaches and the rights should be governed by the Privacy Commissioner as a whole.

We looked at the proposed AIDA as a whole. AIDA was riddled with delays and inefficient guidance. It failed to provide the necessary oversight, allowing technologies such as facial recognition to remain largely unregulated. It was supposed to be prioritized legislation, yet it was wrong. The industry minister brought the legislation to the committee, and three months later, he brought 60 different amendments to his own bill. We had never even heard of that before, and it certainly was not a good bill.

I want to talk briefly about what is happening because we do not get privacy investment right in Canada. This is going to have long-term impacts. The capital gains tax hike is expected to reduce Canada's capital stock by $127 billion, resulting in 414,000 fewer jobs and a $90-billion drop in GDP. We cannot afford to lose control of our most valuable ideas or allow unchecked technologies to undermine our freedoms. Nations fail today because their extractive economic institutions do not create the incentives needed for people to save, to invest and to innovate.

The consequences are already visible. Nine million Canadians are food insecure. Two million Canadians are visiting food banks, and this rate is 36% higher than that in the United States. It is time to reverse course. Let us regain control over our privacy. Let us make sure we give those fundamentals back to save, innovate and invest back into Canadian businesses. Let us bring home capitalism once again, where people can make a good wage, have a good job and bring home savings for them and their families.

Madam Speaker, on September 19, Bill C-354, an act to amend the Canadian Radio-television and Telecommunications Commission Act regarding the cultural specificity of Quebec and the Francophonie was tabled and read for the first time. From the outset, I would like to thank the member for La Pointe-de-l'Île for giving me the opportunity to reiterate our government's commitment to supporting the French language.

Bill C-354 aims to amend the Canadian Radio-television and Telecommunications Commission Act, and this is closely tied to the government's ongoing work to ensure a broadcasting system in Canada that reflects the evolution of our digital world and in which all Canadians, including Quebeckers and members of the Canadian Francophonie, see themselves represented. In fact, closely linked is an understatement. The government's efforts have already been going very much in the same direction as the objective of this bill.

On February 2, 2022, our government introduced Bill C-11, aimed at reforming the Broadcasting Act so that Canadian laws reflect the evolution of our digital world. The latter aimed to clarify that online broadcasting services fall under the act, to ensure that the CRTC has the appropriate tools, to encourage greater diversity and inclusion in the broadcasting sector and to better reflect Canadian society.

The legislative process surrounding Bill C-11 took a very long time. Indeed, one year to the day passed between the initial tabling of the bill in the House and its adoption at third reading by the Senate. Both the Standing Committee on Canadian Heritage and the Standing Senate Committee on Transport and Communications spent many hours dissecting, analyzing, hearing from witnesses and refining Bill C-11. During the same legislative process, several modifications were made to Bill C-11 to strengthen the commitment to the French language and official language minority communities.

The Broadcasting Act, as recently amended, put in place new guarantees to ensure continued support for the production and broadcast of original French-language productions, the majority of which are produced in the province of Quebec. What is more, the CRTC is required to interpret the Broadcasting Act in a manner that respects the Government of Canada's commitment to promoting the vitality of Canada's French-speaking and English-speaking minorities and supporting their development. Added to this is the fact that the act provides that regulations must take into account regional concerns and needs. It should also be noted that the government is already actively consulting the provinces and territories, particularly when it comes to broadcasting.

At each stage of the process surrounding the implementation of the Online Streaming Act, the provinces and territories were consulted. In particular, the government consulted its provincial and territorial counterparts as part of the consultations related to the decree of instructions proposed to the CRTC concerning the implementation of the law.

The final decree also contains various instructions to support the official languages of Canada and official language minority communities. The decree recognizes, among other things, the minority nature of the French language in Canada and North America and the fact that the broadcasting system should promote the development of Canada's official language minority communities and promote full recognition and use of French and English in Canadian society. A section was even added to the final version of the decree to support the creation and availability of programming in French.

In addition, for its part, the CRTC has published a road map describing the main stages of the implementation of the act and is already actively consulting the public. It should be noted that as an administrative tribunal, the CRTC already holds in-depth consultations before making decisions under the rules of practice and procedure that it adopted in order to respect the principles of procedural fairness and of natural justice incumbent upon it. Provinces and territories have the opportunity to participate in CRTC consultations. To this end, the provinces and territories, including Quebec, can already present observations to the CRTC on issues of provincial interest during hearings and consultations.

It is important to specify that the Government of Quebec has the right and already uses its right to intervene in the CRTC's consultative processes. The Broadcasting Act provides for three forms of consultation, depending on the decisions it is considering. They are, in no particular order, one, with official language minority communities on any decision likely to have a detrimental effect on them; two, with CBC/Radio-Canada on its conditions of services; and three, with any interested party for decisions regarding conditions of services. The latter is an open consultation, where provinces and territories and, in fact, any interested intervenor can put forward their opinions and concerns.

In other words, the addition of the consultation obligation provided for by Bill C-354 could raise concerns that are being addressed in the course of the work of the CRTC and under the requirements of the Broadcasting Act. An obligation for the CRTC to consult elected provincial governments could also have an impact on public confidence and the independence of the CRTC. It is important that we are all mindful of not just the independence of the CRTC but the importance of that independence.

As outlined, “The CRTC is an administrative tribunal that regulates and supervises broadcasting and telecommunications in the public interest. [It is] dedicated to ensuring that Canadians have access to a world-class communication system that promotes innovation and enriches [the] lives [of Canadians].”

Further to this, under the section of the CRTC's own website entitled “We listen and collaborate”, it states that, in order to “fulfill [its] mandate, [it] must understand the needs and interests of Canadians who make use of broadcasting and telecommunications services.”

In conclusion, the government supports and will continue to support the French language. The Online Streaming Act and the act to amend the Official Languages Act are concrete examples of our commitment to the French language. Once more, the government regularly consults the provinces and territories, including Quebec.

The minister has consulted her counterparts on numerous occasions when it comes to regulating the broadcasting sector. The government will welcome any questions from members regarding Bill C-354 as the debate on this legislation continues.

Mr. Speaker, I am pleased to rise today to speak to Motion No. 426, which deals with Bill C-27. For those watching who do not know Bill C-27, it is the government's piece of legislation to update our privacy laws and introduce a new act on artificial intelligence.

As to the purpose of this motion, even though the bill went through second reading and is now awaiting study at the industry committee, we are asking that the bill be split in three, because it really is three separate bills. The first bill, as my colleague from Bay of Quinte just mentioned, is the part of the legislation that deals with updating the Privacy Act, including all of the privacy terms for protecting an individual's privacy and protecting the rights of others to use someone's privacy, that is, how they can or cannot use it. The second piece of the legislation would create a new agency called the privacy tribunal. It is really a separate piece of legislation. In fact, it is classified as a separate piece of legislation, an act within this act. Then the third piece is the artificial intelligence and data act.

It really is three pieces of legislation in one bill, and that is why we have moved this motion asking that the bill be split in three. It is a massive 120-page piece of legislative change impacting every person and every business in this country. It deserves to be studied as three separate pieces, and members of the House of Commons deserve to vote separately on those three separate pieces of information.

I will start with the first piece, which is the privacy piece. We talked at second reading about the difference between our views on the purpose of this bill, this act, and the government's views. The government made the claim that this bill was making greater steps toward protecting the personal information of the individual, yet that is not what the bill does.

Clause 5 is the purpose section, the most important section of any bill that sets out what the legal structure or purpose of legislation is. It says that it tries to balance the protection of personal privacy with the rights of businesses to use people's data. It puts business interests on a par with individual privacy interests. As my colleague from Bay of Quinte just said and as I said in my second reading speech, that is a fundamental flaw of this bill. The Privacy Commissioner has already spoken out about it.

There has been discussion about whether privacy is a fundamental human right. There is language on this in the preamble, but the preamble of the bill has virtually no legal impact. It says that privacy is among the fundamental rights people have, but it is not in the purpose section. We have been seeking and will be seeking a broad discussion at committee on that issue and the legal implication of it. The purpose section of the bill, clause 5, should say that the protection of personal privacy is a fundamental right. It is not balanced between business needs and individual needs but is a fundamental right.

That is important not only for the reasons that I just outlined, but because further down, clause 18 of the privacy part of the bill creates a concept called “legitimate interest” for a business. Clause 17, just prior to that, lays out that there has to be the express consent of an individual for a business to use privacy data, but clause 18 goes on to say that there is a legitimate interest for the business to not care about an individual's express consent. In fact, it lets a company say that if something is in its legitimate interest as a company, even if it causes individuals harm, it is okay for it to use their data for something that they did not give permission for. It says that right in the legislation.

This is a fundamental flaw of a bill that pretends to be protecting people's fundamental privacy rights. It in fact protects big corporate data and the right of big corporations to use our data however they wish. It does give additional power, which is needed, to the Privacy Commissioner in that, but the second part of the bill then takes it back with the creation of the privacy tribunal.

Maybe the best explanations of the privacy tribunal is to compare it to and understand the way the Competition Act works. There are two aspects to how we decide competition issues and appeals. One is the Competition Bureau that looks at merges and acquisitions, and it says whether they are anti-competitive or not and will rule on that merger. Then there is a Competition Tribunal, like the privacy tribunal as proposed in the bill, which is the legal framework where the law gets done and the battle gets fought between the company that thinks it should do the merger and the Competition Bureau that thinks it should not.

A classic example recently was the Rogers-Shaw takeover. Quite a bit of time was spent both through the Competition Bureau process and the Competition Tribunal process, which ruled whether that sale could happen and then whether an aspect of that sale, being the sale of Freedom Mobile to Vidéotron, could be done.

The government wants to create that kind of process in the privacy law now. It is a separate act that creates this bureaucracy and this appeal mechanism, where six individuals will decide, as a privacy tribunal, whether a company has breached a person's privacy rights. However, out of the six individuals, only three of them need to any familiarity with privacy law. The others do not need any familiarity with privacy law, no familiarity with business, no familiarity with human rights, nothing. They do not need any other qualifications other than, perhaps in this case, they are a Liberal and are appointed to this board.

I have discussed this with a number of law firms since the bill was tabled a year ago. These law firms have very different views about whether this speeds up or slows down the process of dealing with individual privacy law issues. We need to have a separate study within the committee on that aspect. In fact, I have been talking to the chair of the committee about that structure, trying to get the hearings to be set up in a way that looks at these three pieces separately.

The third piece, which my colleague for Bay of Quinte spoke eloquently about, is on artificial intelligence.

Remember, the first two parts of the bill are essentially a modest rewrite of a bill from the last Parliament, Bill C-11, when the government tried to amend these acts and then complained that the bill did not pass, because it called an early election. The Liberals could not figure out why it did not pass. However, the Liberals reintroduced the bill, but then they bolted on this other thing, which has absolutely nothing to do with the first two parts.

The third part is called the “artificial intelligence act”, but it has nothing to do with the privacy of individuals and it has nothing to do with the appeal of a person's privacy. It is all about how to regulate this new industry, and it gets it wrong. The government is basically saying that its does not know what artificial intelligence is, which is not surprising for the Liberals, but it is going to regulate it. It is going to define it in regulation, and the minister is going to be in charge of defining it. The minister is going to be in charge of setting the rules on whether the law has been breached. The minister is also going to be in charge of fining someone who has breached the law of this thing the government cannot define. It is a total usurping of Parliament. The Liberals are saying that they do not know what it is, but we should trust them, that they will never have to come back to Parliament to deal with this again.

We are asking the House to split the bill into three, because it really is three separate pieces of legislation. The government would have more success in its legislative agenda if it actually brought in these pieces properly, individually, rather than a mini-omnibus bill of different types of issues. Then they could be properly studied, properly amended, properly consulted on and properly dealt with by Parliament. The government is choosing not to do that, which is why it is having such poor legislative success in all of its efforts to date.

Madam Speaker, he is certainly better known for the way his trademark mangling and misuse of words and phrases has resulted in strangely keen insights that are still widely quoted today by many. I have a few favourites. One of them is “I didn't really say everything that I said.” Another one is “We made too many wrong mistakes.” Another is “Swing at the strikes.”

When I thought about Bill C-27 and preparing to speak today, it brought to mind Yogi-isms, and not only because those examples I just cited reminded me of the Liberals' poor approach to governance but because the title of this bill is a real mouthful at 35 words long. This brought that to mind as well.

For now, I will call it the consumer privacy protection act, but it is really summed up best by what is probably the greatest Yogi-ism of all, which is “It's déjà vu all over again.” That really speaks to it. The member was looking for me to tie it back in, so there it is. There is the tie back in.

Here we are in 2023 and here I am speaking on yet another rehash of another Liberal bill from years previous. They have a real penchant for that, these Liberals. They kind of remind me of Hollywood Studios that no longer seems to be able to produce an original script so it just keeps churning out sequels. If Bill C-27 was a film, one could call it “Bill C-11, the redo”. Bill C-27 is essential a warmed-over version of previous Bill C-11, the digital charter implementation act the Liberals introduced back in 2020.

It is not to be confused with the current Bill C-11, which is also making its way through Parliament and is the online streaming act and which also poses another threat to Canadians' privacy and online freedoms.

It is really easy to see a bit of a pattern evolving here. In any case, in May 2021 the Privacy Commissioner said the digital charter act “represents a step back overall from our current law and needs significant changes if confidence in the digital economy is to be restored.” It of course died when the Prime Minister cynically called an expensive and unnecessary election nobody wanted and everybody paid for and that did not change the Prime Minister's political fortunes one iota.

Bill C-27 carries the stamp of that former digital charter proposal, which Conservatives had concerns about then, and which we still have concerns about in its new form now. Some of the text is in fact directly lifted from Bill C-11 and the text of that bill is available for all to review.

Let us talk more about the impact of the bill's content, rather than the wording itself.

The bill purports to modernize federal private sector privacy law, to create a new tribunal and new laws for AI, or artificial intelligence, systems. In doing so, it raises a number of red flags. Perhaps the most crimson of those flags, for me, is that the bill does not recognize privacy as a fundamental right. That is not actually all that surprising, because this is a Liberal bill. I hear daily from Canadians who are alarmed by how intrusive the Liberal government has become, and who are also fearful of how much more intrusive it still seems to hope to become.

It just seems just par for the course for the government that, in a bill dealing with privacy, it is failing to acknowledge that, 34 years ago, the Supreme Court said privacy is at the very heart of liberty in a modern state, individuals are worthy of it, and it is worthy of constitutional protection.

When we talk about privacy, we have to talk about consent. We have seen far too many examples of Canadians' private and mobility data being used without their consent. I think some of these examples have been cited previously, but I will cite them again.

We saw the Tim Hortons app tracking movements of people after their orders. We saw the RCMP's use of Clearview AI's illegally created facial recognition database. We saw Telus' “data for good” program giving location data to the Public Health Agency of Canada.

These were breaches of the privacy of Canadians. There needs to be a balance between use of data by businesses and that fundamental protection of Canadians' privacy. The balance in this bill is just wrong. It leans too heavily in one direction.

There are certainly issues with user content and use of collected information. For instance, there are too many exemptions from consent. Some exemptions are so broad that they can actually be interpreted as not requiring consent at all. The concept of legitimate interests has been added as an exception to consent, where a legitimate interest outweighs any potential adverse effect on the individual. Personal information would be able to be used and shared for internal research, analysis and development without consent, provided that the content is de-identified. These exemptions are too broad.

The bill's default would seek consent where reasonable, rather than exempt the requirement. In fact, there are several instances where the bill vaguely defines terms that leave too much wiggle room for interpretation, rather than for the protection of Canadians. For example, there is a new section regarding the sharing of minors' sensitive information, but no definition of what “sensitive” means is given, and there would be no protection at all for adults' sensitive information. These are both problematic. De-identification is mandated when data is used or transferred, but the term is poorly defined and the possibility of data being reidentified is certainly there.

Anonymization or pseudonymization are the better methods, and the government needs to sharpen the terms in this bill to be able to sharpen those protections. An even more vague wording in the bill is that individuals would have a right to disposal, the ability to request that their data be destroyed. Clarification is certainly needed regarding anonymization and the right to delete or the right to vanish.

There are many more examples. I know my colleagues will certainly expand on some of those questions as posed in the bill. I know my time is running short. I want to speak to the individual privacy rights of Canadians briefly.

Canadians value their privacy even as their government continually seeks ways to compromise it. The Public Health Agency of Canada secretly tracked 33 million mobile devices during the COVID lockdown. The government assured them their data would not be collected, but it was collecting it through different means all along.

Public confidence is not that high when the Liberals start to mess in issues involving privacy. The onus should be on the government to provide clarity around the use and collection of Canadians' private information because, to quote another Yogi-ism, “If you don't catch the ball, you catch the bus home.”

Mr. Speaker, it is a privilege to rise in this House to speak to this piece of legislation. I would like to start today by saying a few words about how this bill is structured, and then I plan to use the majority of my remaining time to discuss the implications of this legislation regarding personal privacy rights.

When I look at this bill, my initial response is this: Should there really not be three separate pieces of legislation? One would deal with the consumer privacy protection act and issues related to modernizing PIPEDA, perhaps a second, separate piece would create the proposed personal information and data protection tribunal act, and a third, separate component, which should absolutely be its own legislation, would be for the section dealing with artificial intelligence.

AI may present similar, very legitimate concerns related to privacy, but the regulation of AI in any practical sense is almost impossible at this juncture because so many aspects of it are still very unknown. So much is still theoretical. So much of this new world into which we are venturing with AI has yet to be fully explored, fully realized or even fully defined. This makes regulation very difficult, but it is in this bill, so it forms part of this legislation.

We can see just how vague the language related to the AI framework really is. I understand why it is that way, and do not get me wrong; I think we need this type of legislation to regulate AI. However, in the same way, this is way too big a topic to delve into in a simple 10-minute speech. It is also too big a topic to drop into an existing piece of legislation, as the government has done here, basically wedging this section into what was known as Bill C-11 in the last Parliament.

I have deep concerns with AI. They are practical concerns, economic concerns and labour concerns related to the implementation of AI. I even have moral concerns. We have artificial intelligence so advanced that it can make decisions by itself. The people who have created that technology cannot explain how it came to those decisions and it cannot tell them. The capabilities of this technology alone seem almost limitless. It is actually a little scary.

Personally, I look at some of the work being done in AI and wonder if we should, as humanity, really be doing this. Just because we have the knowledge and capability to do something does not necessarily mean it is for the betterment of humanity. I wonder sometimes where this technology and these capabilities will take us. I fear that in hindsight, we will look back and see how our hubris led us to a technological and cultural reality we never wanted and from which we will never be able to return.

However, here we are, and we have this capability partially today. People are using it, and it requires some form of regulation. This bill attempts to start that important conversation. It is a good first step, and that is okay. I think this is one of those things where we need to start somewhere as we are not going to get it done all at once. However, again, given the enormity of the topic and the vast implications, it should be its own separate piece of legislation.

Those are my thoughts on the structure of the bill, and now I will shift gears to talk a bit about personal privacy.

Personal privacy is a fundamental right. Three decades ago, long before the advent of the Internet or smart phones, the Supreme Court of Canada ruled privacy is “the heart of liberty in a modern state”. It did not say that privacy was at the heart; it said privacy is the heart. Personal privacy is the fundamental right and freedom from which all other liberties flow, and with the advent of the Internet age, the age of the smart phone and the age of digitized everything, laws related to protecting the fundamental right to privacy must be updated. Canadians must have the right to access and control the collection, use, monitoring, retention and disclosure of their personal data. The question is, how do we realistically do that?

One of the reasons I am a Conservative is that I believe in individual rights and that rights and freedoms must be coupled with accompanying accountability and responsibility. This has to be a two-way street. Canadians need to be informed, and they need to be responsible and aware of what they are agreeing to, subscribing to and giving permission for. How often do we simply and blindly click “accept” without reading the terms and conditions for using a website, using an app or allowing others the use of our information?

I would be curious to know among my colleagues in the House, when was the last time they fully read the terms and conditions of a user agreement or a disclosure statement? Most of us just hit “accept”. We do not want to be bothered.

Recognizing this, can we really say the privacy of Canadians is being violated when many individuals live every moment of their lives posting in real time online for all the world to see, and access and just click “accept” without reading what they are agreeing to?

In this context, what is the role of government and what is the responsibility of the individual user? Government and businesses need to provide clear information, but people also need to be informed. They need to take responsibility.

I recall a while back when my office received an email on this subject of privacy. The individual was deeply concerned about web giants having access to his personal data. I had to laugh, because at the bottom of the email it said, “Sent from my Huawei phone”.

As a government creating legislation, where should those legal lines between consent and informed consent be drawn? As Canadians, we are a bit too quick to consent.

However, we have also seen far too many examples of Canadians’ private and mobility data being used without their consent. We heard about the Tim Hortons app that was tracking the movement of Canadians; how the RCMP was using Clearview AI’s illegally created facial recognition database; the public doxing of all those who donated to the freedom convoy; Telus giving location data to the Public Health Agency of Canada without a judicial warrant; and, in my view, the most egregious violation of privacy in generations, the requirement by the government and others for Canadians to provide their personal health data and information in order to work and/or travel.

If I am honest, it is this violation of privacy rights that makes me truly hesitant to support any effort by the government to strengthen privacy rights: first, because it has so flagrantly violated them, but also because I and a growing number of Canadians just do not trust the government. We do not trust it to keep its word. We do not trust it to create legislation that does not have loopholes and back doors that will give it the capability to violate individual personal freedoms.

Why? Because we have seen it from the Liberals. They want to control everything. There has never been a government that has had such an utter disregard for Canadians.

I have noted before that it was the Prime Minister's father who famously said that the government had no place in the bedrooms of Canadians. However, the current government not only wants to be in our bedrooms, but in every room, on every device, in every conversation and in every thought. It wants to control what Canadians think, what they see and what they post, and, by extension I can safely say, how their private data is curated and used.

One thing that is vital if we are to trust the government with our private data and with protecting privacy, there must be clear boundaries. This leads to one of the larger issues with this legislation, an issue we are faced with every time the government brings legislation forward. It fails to provide clear definitions.

There is a section of the bill that deals with the sensitive information of minors. The fact that there is no section for the protection of sensitive information of adults is a sign.

What does it mean by “sensitive”? It is never defined. What does it mean by “scrutiny” for data brokers? It is this habitual lack of specificity that characterizes so much of the government's legislation.

It is like a band that is way more interested in the concept of the album and how it looks on the cover than the actual quality of its music. If it cared about the quality of the music, it would have brought forward a bill that looks more like the European Union's 2016 GDPR, which is widely regarded as the gold standard for digital protection. By that standard, PIPEDA fails the test, but so might Bill C-27 if we do not bring it closer in line with what other nations have done. This lagging behind does not just affect personal privacy, but the ability of Canada and data-driven Canadian businesses to work with our EU friends.

This whole new regime outlined in the bill has huge implications for businesses, something I am sure my colleagues will be addressing. There is so much that can and should be said about this legislation, but it comes down to this: Canadians must have the right to access and control the collection, use, monitoring, retention and disclosure of their personal data.

Mr. Speaker, to bring it back to the topic of this debate, Bill C-27, the intention of the bill is to modernize the protection of digital privacy rights in Canada. The previous iteration of the bill was roundly panned by stakeholders when it was introduced in the previous Parliament. However, in this new version, Bill C-27, the government has added a few new elements, for example, regulating artificial intelligence.

Unfortunately, there are so many different elements within the bill that nobody can actually address all the issues within a 10-minute speech, so I will focus on the privacy issues that are sorely lacking within the legislation.

The bottom line is that the new bill, Bill C-27, remains fundamentally flawed and is, simply put, a redux of the former bill. Essentially, what it would do is put lipstick on a pig.

The dramatic and rapid evolution in how we gather, use and disseminate digital information in the 21st century has presented the global community with not only a lot of opportunities but significant challenges as we try to protect society and individuals against the unauthorized use of their data and information. This directly implicates the issue of privacy and the various Canadian pieces of legislation that address the issue of privacy.

This is not the first time the Liberal government has tried to “fix” a problem, and I use that term advisedly. It tries to fix things, but just makes things worse. In the 21st century, we are faced with immense challenges in how we protect individuals, our Canadian citizens, against those who might misuse their data and information. Any suggestion that this digital charter is actually an articulation of new rights is simply wrong. This is a digital charter, but it is not a digital charter of rights.

I will turn to the most significant and substantive part of the bill, the privacy elements. Very little of this legislation has been changed from the original Bill C-11, and the government has not measurably responded to the criticism it received from the stakeholders when the previous version of the bill was reviewed at committee.

There are five key additions and alterations to Canada's existing privacy protection laws.

First, the bill expressly defines the consent that Canadians must give in order for their data and information to be collected and used, and there are guidelines attached to that. We commend the government for doing that clear definition of consent.

Second, Bill C-27 addresses the de-identification, the anonymization of data that is collected by private companies. Again, that is important. We want to ensure when private businesses collect information from consumers that this information is not attached to a specific individual or citizen.

Just to be clear, the bill contains numerous broad exemptions, which we could probably drive a truck through, and will likely create the loopholes that will allow corporations to avoid asking Canadians for permission.

Third, the bill provides that all organizations and companies that undertake activities that impact the privacy of Canadians must develop codes of practice for the protection of the information they collect.

Finally, the act would create harsher financial penalties, up to $25 million, for a violation of Canadian privacy rights. We, again, commend the government for doing that.

However, let me say for the record that what we do not support is the unnecessary creation of a new personal information and data protection tribunal, which is another level of bureaucracy that would add more layers of complexity, delays and confusion to the commissioner's efforts to enforce privacy laws.

Canada is not alone in expressing concern over the risks that digital information and data flows represent to the well-being of Canadians and our privacy rights. Many other countries are grappling with the same issue and are responding to these threats, and none more so than the European Union. The EU has adopted its general data protection regulation, the GDPR, which has now become the world's gold standard when it comes to privacy protection in the digital environment.

The challenge for Canada is that the EU, which is a market of over half a billion well-heeled consumers, measures its willingness to mutually allow sharing of information with other countries against the GDPR, the standard it has set. Those who fall short of the rigour of that privacy regime will find it difficult to conduct business with the EU.

Do our current regime and this legislation measure up to the GDPR from the EU? No, probably not. In fact, for years Canada's digital data privacy framework has been lagging behind those of our international counterparts. The problem is that if we do not meet the standard, we will not be able to do the kind of business with the EU we expect to. As someone who played a part in negotiating our free trade agreement with the European Union, I know it would be an absolute travesty to see that work go to waste because our country was not willing to adopt robust privacy and data protections.

I note that, as is the custom with our Liberal friends, the bill creates more costs for taxpayers to bear. There is a creation of new responsibilities and powers for the commissioner, which we support, but this legislation calls for the creation of a separate tribunal, a new layer of bureaucracy and red tape that small and medium-sized enterprises will have to grapple with.

There are other unanswered questions. Why does this legislation not formally recognize privacy as a fundamental right? Regrettably, as presented, Bill C-27 misses the opportunity to produce a path-breaking statute that addresses the enormous risks and asymmetries posed by today's surveillance business model. Our key trading partners, especially the EU, have set the bar very high, and the adequacy of our own privacy legislation could very well be rescinded by the EU under its privacy regime.

Thirty-five years ago, our Supreme Court affirmed that privacy is “at the heart of liberty in a modern state”, yet nowhere in this bill is that right formally recognized. Any 21st-century privacy regime should recognize privacy as a fundamental human right that is inextricably linked to other fundamental rights and freedoms. By the way, I share the belief that as a fundamental right, it is not appropriate to balance off the right to privacy against the rights of corporations and commercial interests. Personal privacy must remain sacrosanct. When measured against that standard, Bill C-27 fails miserably.

I have much more to say, but I will wind down by saying that this bill is another missed opportunity to get Canada's privacy legislation right by consulting widely and learning from best practices from around the world. There is a lot riding on this bill, including the willingness of some our largest trading partners to allow reciprocal data flows. This bill is not consistent with contemporary global standards.

The Centre for Digital Rights notes that this legislation “fails to address the reality that dominant data-driven enterprises have shifted away from a service-oriented business model towards one that relies on monetizing [personal information] through the mass surveillance of individuals and groups.” That should be a wake-up call to all of us. Sadly, this bill fails to listen to that call. Let me repeat that there is a move toward monetizing personal information through mass surveillance of individuals and groups, and the government has not yet recognized that.

For those reasons, I expect the Conservatives will be opposing this bill and voting against it.

Madam Speaker, I am looking at Bill C-27 and wondering what we make of the fact, and I know he commented on this, that we have three different bills that are all put together and only one is really new. We have seen the privacy pieces and the repeal of PIPEDA in the former Parliament's Bill C-11. The bill before us relating to artificial intelligence and high-impact AI and regulating that is essentially an entirely different scheme of legislation. Would the Conservatives agree that they should be split so we can examine them separately? I think that is already their position. What does the hon. member say to that?

Madam Speaker, we are here today to debate Bill C-27, the digital charter implementation act. With this bill, the government seeks to bring Canada's consumer privacy protections up to date, to create a tribunal to impose penalties on those who violate those protections and to create a new framework on artificial intelligence and data.

For my constituents, I think the most important question is this: Why are consumer privacy rights important? Our personal information has become a commodity in the modern world. Businesses and organizations regularly buy, sell and transfer our personal data, such as our names, genders, addresses, religions, what we do on the Internet, our browsing history, our viewing and purchasing habits, and more. This happens so often that it is almost impossible to know who has access to our sensitive data and what they do with those personal details. Unfortunately, this bill fails to adequately protect the privacy of Canadians and puts commercial interests ahead of privacy rights.

The first part of this bill is the consumer privacy protection act, and I will note, as many others have during this debate, that it is really three bills in one. It is the largest part of this bill and brings in new regulations on the collection, use and sale of the private data of Canadians. I will cover three issues that I have found in this act in the first part of this bill.

The first issue relates to how organizations may collect or use our information without our consent. Subclause 18(3) states:

(3) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use

Without defining what a “legitimate interest” is, this subclause risks giving organizations free rein to define “legitimate interest” in whatever way suits their own commercial interests.

The second issue I will cover relates to how the bill would protect the privacy rights of children. Subclause 2(2) states:

(2) For the purposes of this Act, the personal information of minors is considered to be sensitive information.

However, nowhere in this bill are the terms “minor” or “sensitive information” defined. This will lead to confusion about how the personal information of children should be handled, and will ultimately lead, in my opinion, to weak protection of that information. There is also no other provision in this legislation that regulates the collection and use of children's personal data.

Every parent in the House of Commons is very concerned about their child going on Minecraft and about their interactions with other people and other gaming sites. This bill does not do enough to protect children in the context of online gaming.

The last issue I will raise in this act relates to when organizations can rely on implied consent to collect and use personal data. Subclause 15(5) states:

(5) Consent must be expressly obtained unless, subject to subsection (6), it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.

This subclause highlights that the bill lacks a clear definition of “sensitive information”. This means that organizations will have free rein to determine when they can rely on implied consent, and they will be free to decide what information is or is not deemed sensitive according to their interpretations and not the legislation's interpretation.

The second part of the bill relates to the creation of the new personal information and data protection tribunal act. The bill would create a new semi-judicial body with the power to levy financial penalties against those who violate the CPPA, the first part of the act. I question whether this tribunal would be able to enforce the penalties outlined in clause 128, which are tied to global revenue and a proportion of profit in the previous fiscal year.

How does the government plan on ensuring accurate figures? Does the government really believe that it will go after Google in a global context, hold Google accountable and collect up to 4% or 5% of Google's global revenue? It is farcical.

We need very clear and very big amendments to this section. We need to question whether we even need a tribunal, because if it is in charge of enforcing clause 128 of the bill, I already know it is going to fail.

Under the third section of the bill, the artificial intelligence and data act, new provisions would be created that apply to the private sector. However, this bill does nothing to address the relationship between government and artificial intelligence.

Right now in Parliament, we are debating Bill C-11, which talks about the government's use of algorithms in the context of the CRTC. This bill has rightly infuriated Canadians across the country who are concerned about how the government would determine what people say and do on the Internet and where they would be directed. Why is the government not trying to apply the same standards upon itself as it is trying to apply on private corporations?

I want to address some other key oversights in the bill.

First, in the U.K., EU and even Quebec, certain personal details, such as race, sexuality and religion, are given special protection in comparison with other personal information. Why does the government believe the most identifiable aspects of our personal information are not worthy of being defined as sensitive information in the context of privacy law?

Second, the bill does nothing to regulate the sale of personal data. I am reiterating this point. In a world where the sale of personal data has become an integral part of our economy, why is the government not concerned with setting clear rules on how data and what kinds of data can be bought and sold, especially in the context of children?

Third, the bill fails to regulate the use of facial recognition technology. The RCMP used Clearview Al's facial recognition database, which was illegally created. Why does the government not think it is appropriate to ensure this never happens again?

Fourth, the consumer privacy protection act and the personal information and data protection tribunal act proposed in this bill are nearly identical to the acts proposed under last Parliament's Bill C-11. The consequence is that Canada's consumer privacy laws will be out of date by the time they come into force.

This bill was an opportunity to put forward strong regulations on the collection and use of personal data, but it failed to meet some basic criteria and thresholds. While the increased penalties for violating the act are welcome, they are watered down by the implementation of a tribunal that would take months or potentially even years to make a decision and levy fines. It is even questionable whether such a tribunal could actually do what it is purported to be responsible for.

Do we really need privacy legislation that fails to protect the privacy of Canadians? Do we really want privacy legislation that fails to put consumer interests ahead of corporate interests? Do we really want privacy legislation that fails to protect the personal information of children? Do we really want Al regulations that do not apply to government? Frankly, the government needs to withdraw Bill C-27, break it up into different parts and come back to Parliament after it has looked at the drawing board again and done something a little more comprehensive.

Madam Speaker, in a previous Parliament, the government killed Bill C-11 because it wanted to have an election. It did not see the importance of that bill. Now the government is proposing a flawed bill and expecting us to support it. We will support a bill that really makes sense, a bill that will help and work for Canadians.

I do not think we have any interest in wasting time. It is up to the government to do something with its bill to make it acceptable for other parties to support it.

Madam Speaker, last week, the federal government banned the use of the TikTok app on government devices because of data privacy concerns, so it is very appropriate for us to be discussing this matter today. Digital data privacy can be seen as a fundamental right, one that urgently requires strengthened legislation, protections and enforcement. Canadians must have the right to access and control the collection, use, monitoring, retention and disclosure of their personal data.

This is a pressing issue. Realizing that, the European Union introduced the GDPR, its General Data Protection Regulation, in 2016. EU countries were given a couple of years to adapt to this new privacy reality, with the regulation coming into effect in 2018. The GDPR has been used by many other countries as a framework for privacy protection.

With the GDPR as an example, and faced with a changing digital data universe, the government basically did nothing to protect data privacy for Canadians. Perhaps that is an unfair statement. After all, digital and online data privacy was addressed in the last Parliament under Bill C-11. The Liberals recognized that Canada needed to bring its privacy laws into the 21st century.

However, that bill was never passed. Apparently, data privacy was not a big enough issue to be made a priority, and the digital charter implementation act was scrapped in favour of an election that Canadians neither wanted nor needed. Now we are asked once again to address this subject. It is indeed better late than never. I would have hoped, though, that with the delay, the government could have improved on what it is proposing.

Perhaps if the government had moved a little faster, Canadians would not have had to question how their data was being used and how their privacy was being invaded by governments and corporations. We are left to wonder how many privacy breaches have gone undetected or unreported. The ones we know of are disturbing enough. Tim Hortons used its app to track customer movements. The RCMP used Clearview AI’s illegally created facial recognition database. Telus gave customer location data to PHAC.

It has been more than 20 years since Canada’s existing digital privacy framework, the Personal Information Protection and Electronic Documents Act, PIPEDA, was passed. With technological changes in recent years, legislation is needed to address subjects such as biometrics and artificial intelligence. We have to consider how Canadians understand the issue of consent when it comes to the use of their data and their privacy.

I am deeply concerned and disappointed with how sloppy the Liberal approach in Bill C-27, the digital charter implementation act, 2022, currently is. Privacy is a fundamental right. This bill does not mention that, despite the Supreme Court of Canada having acknowledged it. We need to clearly distinguish the extent to which Canadians’ digital privacy will be protected. If the government wants the bill to be fully effective, it needs to further explore the scope of accountability required when privacy is breached.

The clear definition of consent is a major improvement from what it once was in the Personal Information Protection and Electronics Document Act, but a good definition is only the beginning. Because technology has greatly expanded and evolved since the implementation of PIPEDA, should we not also expand the umbrella of activities that consent would cover? The large number of exemptions allowed would weaken the impact of the legislation.

Bill C-27 may be a good beginning, but I had hoped for something better. It is sad that the bill’s title is perhaps the strongest statement in the legislation. While the title gives some idea of what the legislation is all about, it is already dated. We are no longer in 2022, and the Liberals are once again falling behind.

As parliamentarians, we know the power of words and the importance of speaking in a way that can be understood by those receiving the message. It is important that legislation can be understood. It is even more crucial that the bills we pass spell out exactly what we intend.

Perhaps the most important part of any of the laws is the section that provides definitions. They need to be clear and comprehensible and not subject to differing interpretations that weaken the intent of the legislation. Legislation that allows each person to provide their own definitions is problematic. Bill C-27 uses words such as “significant impact” or “sensitive information”. I cannot help but question what is covered by these vague terms.

Before the people of Edmonton Manning sent me to represent them in the House, I was a businessman. I understood the importance of safeguarding the personal information my customers entrusted to me and not to abuse that trust. However, as we have seen, some companies make unauthorized use of the information they gather to gain a competitive edge or for profit.

With that in mind, there must be a balance between acceptable use of data by business and the fundamental protection of our privacy. It seems to me that the balance is wrong on this bill, given the way it addresses user consent and the use of collected information.

The more I read Bill C-27, which 100 pages-plus, the more questions I have. There is too much in it in need of clarification. Yes, that will be done when it goes to committee after second reading, but the government could have presented a better bill to make the committee’s work easier.

I do not want to sound too negative. I know the Liberals mean well, even if they do not seem to be able to quite understand just how important digital privacy is to Canadians in the 21st century. I am pleased therefore to see that they understand that sometimes mere words or a scolding are not enough.

It makes sense to me that the Privacy Commissioner will receive new powers to enforce violations of the consumer privacy protection act. That may be the most impactful change the legislation brings about. It is not enough to simply recommend that perpetrators stop their violations. Any parent could tell us that consequences are needed if we want to ensure improved behaviour.

With the Privacy Commissioner finally being able to force violators to conform to the rules, I think we will see increased respect and better treatment of Canadians' personal information. The harsh financial penalties for non-compliance will be a powerful motivator.

Given the amount of time the Liberals had before presenting Bill C-27, we must question why they did not come up with a better bill. They have left me, and all Canadians, asking if they really understand what their own legislation is supposed to do.

Does the consumer privacy protection act, as proposed in the bill, do enough to properly protect Canadians’ personal information? The Liberals had a chance to look at the EU’s GDPR and see how well that worked. Did they learn anything?

Would Bill C-27 improve the protection of Canadians’ personal information or are there so many exemptions for needing consent in the sharing of personal information that the words of the bill are meaningless?

Would the legislation create proper protections for Canadians’ biometric data? Given that no such protection currently exists, perhaps we should be thankful that the subject is addressed at all.

Is it reasonable to exempt security agencies and departments, such as CSE, CSIS and DND from AI regulations? How do you balance privacy and security concerns?

Canadians’ digital privacy and data needs to be properly protected. This bill is a flawed attempt to start the long overdue overhaul of Canada’s digital data privacy framework. The Conservatives will be looking at putting forward some common-sense amendments at the committee stage to ensure we have the best possible legislation.

Madam Speaker, I want to use my speaking time in the House to note that today is the 85th day of the blockade of the Lachin corridor. This blockade has left 120,000 Armenians in Nagorno-Karabakh without access to health care, food and medication. This situation has been denounced by the European Parliament, by Amnesty International and, last week, by the International Court of Justice. I urge the federal government to do more and apply pressure to ensure that these 120,000 Armenians can have access to food and to prevent a humanitarian crisis.

I am pleased to rise in the House today to speak to Bill C-27, an act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other acts.

This bill includes many things and covers many topics. I want to begin with the part on artificial intelligence. The NDP was a bit concerned by the fact that in the wake of Bill C‑11, this whole new part on the Artificial Intelligence and Data Act was added to Bill C‑27. We think this is a separate issue that needs to be dealt with separately. It is a huge topic in and of itself. We are pleased that the bill is being split so that we can study it in two parts.

In my riding, Rosemont—La Petite-Patrie, there is a burgeoning AI hub that provides jobs for hundreds, maybe even thousands, of professionals. I have met people who were a little worried about the federal government being kind of hasty in dealing with an issue as complex as AI. They are particularly worried about the fact that the U.S. and the EU have laws and regulations already. They think we need to take the time to make sure Canada's regulations are compatible with what is being done elsewhere, with our trading partners and our competitors, just so that it will be easier to attract talent down the line and get these professionals to go work in Montreal, Toronto, Vancouver and other places in Quebec and Canada. They want to avoid the kind of incompatibility that could result in unnecessary obstacles.

With respect to the protection of personal information, I believe that, sadly, a string of scandals has made people aware of this issue, and they realize that our laws and regulations must be updated and adapted. Consider the personal information and data breaches and the problems this causes for people. I will quickly mention a few examples. The problems with Yahoo, Marriott, and Mouvement Desjardins in Quebec, as well as Facebook, all revealed the need for new measures to help victims who have had data and their personal information stolen in several countries. We need only think of the 2019 settlement in the U.S. for the Equifax data breach. It is quite significant, given that Equifax is one of the largest companies people rely on for their credit score so they can make purchases or borrow money. This is not trivial.

Here, in 2019, the Office of the Privacy Commissioner of Canada found that Equifax fell short of its obligations to Canadians and Quebeckers. He then had the company sign a compliance agreement that did not require the payment of any fines or damages for Quebec or Canadian victims. This happened just a few years ago and clearly demonstrates just how outdated Canada's legislation is.

That is why the NDP will be supporting Bill C-27 at second reading. We think it is important that the bill be sent to committee, because we see all the cracks and gaps currently in the bill. It is important that the Office of the Privacy Commissioner be strengthened to bolster enforcement measures to protect consumers and Canadians. Bill C-27 needs to be amended to improve things. There are some shortcomings in this bill. There is even some backsliding in relation to Bill C-11, its predecessor in the previous Parliament, before the last election.

Privacy concerns everyone. In a digital world where social media and online entities are taking up more and more space, we have to remember that, although it is nice to use them sometimes—and they can be of great service—we are the ones who have become the product. Our personal information is the source of huge profits, and we need to be aware of that.

Our information is used to target the advertising we see on our devices when we go to websites. That targeting is based on our personal choices, preferences and searches. Big corporations create profiles and use them to sell advertising. We are the product. These companies make money off the information we give them for free. I have met people who had an interesting suggestion. Maybe these companies should pay us because we are their source of profit. They make money off the targeted advertising they sell, and that is how they plump up their bottom line.

We need to modernize our privacy protection laws. We also need to start thinking about the implications of handing over so much information about our consumer behaviour, our travel patterns, our interests and everything we search for online. We have to prompt people to think about that.

The bill is interesting because it creates a lot of new regulations and a new tribunal. The NDP thinks that is a good thing, but the bill does not go far enough. For example, the bill sets out a private right of action for individuals, but it does not really make it possible for consumers who have fallen victim to privacy breaches to be compensated, unlike what is being done in the United States. This right comes with various rather ineffective stipulations, so although there are new provisions, like this new tribunal, the bill provides for very little recourse.

A few years ago, the NDP published a digital bill of rights for Canadians. In it, we called for new, more effective provisions on consent and the sustainability of data. We called for the government to give the commissioner order powers and to impose larger and more consequential monetary penalties. We also called for transparency with regard to algorithms and more protection against abuse.

I think that the government could draw inspiration from the NDP's digital bill of rights to amend, enhance and improve the bill before us today. Once again, I have to say that this bill takes half steps because it proposes half-measures. There are some rather interesting measures in this bill, but they do not go far enough.

For example, there is still a significant imbalance between commercial interests and individual rights. Unfortunately, the Liberals are still in the habit of putting commercial interests ahead of the rights of citizens. For example, the new preamble of Bill C‑27 tries to present privacy as an individual interest tied to fundamental rights, but still does not directly recognize that privacy is not just an essential aspect of fundamental rights, but a fundamental right in and of itself. It considers the right to privacy to be part of Canadian norms and values, rather than a fundamental right. I think this part of the preamble of the bill should be changed.

There is also some backsliding. Under Bill C‑27, individuals would have less control over the collection, use and disclosure of their personal data, even less than what was proposed in Bill C‑11, which was introduced during the last Parliament. That is really the crux of the matter. If we do not have control over the information we provide or the way it is used or shared, it will be a wild west, total chaos. That is what we are seeing now, in fact. This is a step backwards, and I think that the NDP will be proposing amendments to restore this balance.

Under the bill, information that has been de-identified is still personal information, with some exceptions. There are quite a few exceptions, including in clauses 20 and 21, subclauses 22(1) and 39(1), and the list goes on and on. Roughly a dozen clauses contain multiple exceptions, so it gets extremely complex and confusing. It seems to me that this is going to give big corporations and web giants a way out, through loopholes and back doors. They will be able to do whatever they want because of this list of exceptions.

We in the NDP will be supporting the bill at second reading, but there is still a lot of work to be done to improve the bill.

Madam Speaker, I am concerned. I said that right off the top. When Bill C-18 was introduced over a year ago, the bill was designed to help local newspapers in this country. Now we find out when we peel back the onion that public broadcaster CBC, Rogers and Bell, are going to get 75% of the funding from Meta and Google. Why are they at the trough?

We dealt with Bill C-10 and Bill C-11 before, which pertained to those industries. Bill C-18 was designed for newspapers, as we have found out with the department saying only $150 million will be raised. Is it $150 million, or what the PBO said is a bigger pot of $239 million?

Mr. Speaker, it is an honour to speak today in the House about Bill C-26, an act respecting cyber security, amending the Telecommunications Act and making other consequential amendments.

This is a critical bill, and I am very happy to see the debate being undertaken today in the House. I do know that cybersecurity is important to the Minister of Public Safety, so I will give him credit for bringing this bill forward. It should be something that is important to all government ministers of every level of government. It is very important that we are having this debate today.

I was provided a briefing from cybersecurity experts from the minister's department just under a year ago. It was very informative about the risk Canada faces in terms of cybersecurity. Just to speak simply, I asked them what would be, in the worst case scenario, sort of a Pearl Harbor moment for Canada. They responded that it would be a cybersecurity attack on our electrical infrastructure or our pipeline infrastructure in the middle of winter. If there were a cyber-attack or a ransomware attack on the infrastructure that keeps Canadians warm in the middle of winter, that would be absolutely devastating, specifically in our coldest provinces, regions and territories in Canada.

Just to give Canadians an idea of the gravity of what we are talking about today and how important it is, not only that we bring forward cybersecurity legislation that builds capacity, but also that it be done right. There was a series of questions before my remarks that outlined a number of the issues in this bill.

I will just outline a number of recent cybersecurity attacks in Canada and also in the United States of late. We know that the Canada Revenue Agency was attacked in August 2020, impacting nearly 13,000 Canadians who were victims of that. There was also a hospital in Newfoundland, in October 2020, where the cybersecurity hackers stole personal information from health care employees and patients in all four health regions, as well as social insurance numbers belonging to over 2,500 patients. Very deeply personal and private data from these hospitals was stolen by cybersecurity hackers.

Global Affairs also most recently was attacked in January 2022, right around the time that Russia engaged in the illegal invasion of Ukraine. It was reported that it may have been Russian, or Russian state-sponsored, actors who were responsible for the cyber-attack on Global Affairs.

That was a very serious attack on another government department. The government is certainly not immune to these types of cybersecurity attacks.

Most famously, I would say, there was a ransomware attack on critical infrastructure in the United States back in May 2021. Pipeline infrastructure was attacked. President Biden issued a state of emergency. Seventeen states issued these states of emergency. It was very serious, and it just shows the capabilities of some of these cyber-threat actors, and the threat they pose to Canadians in their everyday lives and to Canada as a whole, as well as the threat to our allies.

This bill is coming forward in light of the government announcing most recently, in the past year, that it would ban Huawei from our 5G infrastructure. Conservatives and the House of Commons, in fact, have been calling on the government to do that for quite for some time. This legislation would help enable the practical implications of that ban. Again, it is certainly a very long time coming. Had this been done years ago, it would have saved our telecommunications and thereby the everyday users of our telecommunications companies, a lot of pain and a lot of money. I am concerned about the financial impact, although this is critical, that waiting so long to bring it forward would have on everyday Canadians and their cellphone bills, just as an example.

I am the vice-chair of the public safety and national security committee. I championed a study we are undertaking, which is in the process of being finalized right now, of Canada's security posture in relation to Russian aggression. A large part of that study was about cybersecurity. The experts we brought in repeatedly sounded the alarm that cybersecurity is of the utmost importance. It is something that the Government of Canada, the private sector, provincial governments and, frankly, municipal governments must take extremely seriously. It is rapidly evolving. I am going to give some quotes from a few of the experts to the lay the stage of what we are facing as Canadians.

Professor Robert Huebert of the University of Calgary said:

With regard to other cyber threats, we also know the Russians have shown an increasing capability of being able to interfere in various electronic systems and cyber systems of other states. We've seen this with their ability to influence the Ukrainian electrical system prior to the onset of the war in 2014.

This is the other war it engaged in over the last number of years. He also said that we are seeing this in other locations across the globe.

He went on to state:

Once again, it's hard to know exactly how well-defended [Canada has] become in being able to harden that part of cyberwarfare. There's no question, whatsoever, that the attention the Russians and the Chinese are giving this is increasing....

He compared that to the reports we are hearing from our American and British friends and allies who are saying the Chinese and Russians are extremely active on the issue of cybersecurity and involving state-sponsored actors launching attacks against countries like Canada and the United States.

We also had a woman named Jennifer Quaid, who is the executive director of the Canadian Cyber Threat Exchange, which is a private company that supports various companies to help boost their cybersecurity. She talked a lot about cybercriminals. This is an important piece. Even the minister talked about this as well.

First and foremost, she flagged that the Minister of National Defence of the current government said, “Cyber security is one of the most serious economic and national security challenges we face.” Therefore, it is quite a serious issue we are talking about today.

Ms. Quaid went on to say, “cyber-threats are becoming more sophisticated and are increasingly pervasive. Driven by the growth and global adoption of innovative technologies, cybercrime pays.”

She meant that cyber-threat actors can be grouped roughly into two categories, nation states conducting espionage and statecraft through the Internet, and criminals engaging in cybercrime for financial gain.

She went on to say, “It's this criminal element that has commercialized cybercrime”, meaning that cybercriminals and cybercrime have now become a thriving industry. She pointed out that the barriers to entry, the technical expertise needed to be a hacker, so to speak, is increasingly low. She said that several countries now are allowing cybercriminal groups to operate within their borders.

She also named something called a “hacktivist”, an activist hacker, of all things. We may have someone, in the name of social justice, hacking into a fossil fuel company, for example. Imagine if that happened in Canada in the middle of winter to our gas pipeline infrastructure. It would be devastating and deadly, so we have to keep an eye out for hacktivists, as she said.

She also pointed out that 25% of organizations in Canada have reported a cyber-breach. One in four. That is pretty significant. She said that the small and medium-sized enterprises that make up 98% of our economy are also being impacted. Almost 100% of our economy is being attacked in some form or another.

This is really important when we think of big banks and big, wealthy corporations that have pretty good cybersecurity infrastructure and have the money to do so. What feeds them is third party suppliers that may provide the various components or various mechanisms to undertake their important parts of the industry that company is engaged in. They are also at risk. Therefore, if a lower third-party provider of a major telecom is attacked, for example, that may seriously impact the ability of that telecom to deliver its services adequately to Canadians.

She mentioned that 44% of SMEs, small and medium-sized enterprises, do not have any defence. Almost half of our small and medium-sized enterprises, which dominate our economy, do not have any sort of defence and are not even thinking about cybersecurity. That is why today's discussion and this bill are important to be debated and have experts weigh in.

I will also quote Dr. Ken Barker, who is a professor at the Institute for Security, Privacy and Information Assurance at the University of Calgary. He talked a lot about the impact of cybersecurity on critical infrastructure. He mentioned that, in general, it is very vulnerable because it is built on legacy systems that, in essence, predate the Internet. As our legacy systems are getting online, this creates, as he explained, some gaps that hackers can take advantage of, which again puts our critical infrastructure at risk. That came up over and over at committee. He pointed out that our large private companies and our banks are investing a lot in cybersecurity, but again, as he and Ms. Quaid pointed out, it is their SMEs that are the most vulnerable.

I will conclude my quotations here with Caroline Xavier, who is the director of the Communications Security Establishment, which falls under the Department of National Defence. It is the part of government responsible for cybersecurity. Therefore, that she is the head of government cybersecurity is a simple way to look at it.

She said, “cybercrime is the most prevalent and most pervasive threat to Canadians and Canadian businesses. Cybercriminals trying to probe Canadian systems have been found in Russia, Iran and China, among others. [They] use various techniques such as ransomware”. They are specifically focusing on our critical infrastructure, and they certainly pose, as she said, “the greatest strategic threat to Canada.”

The bill before us would do a number of things. It is quite a large bill, so I will not go into every detail of what it would do, but in essence there are two parts. One would amend our existing Telecommunications Act. Of particular importance, it would give very broad and sweeping powers to the minister of industry to do a number of things. What has been criticized by a number of organizations is a specific part of the bill, which is in the summary, that says it would allow the minister and the Governor in Council to “direct telecommunications service providers to do anything, or refrain from doing anything”.

Those are very broad powers to be given to one minister, so that should immediately put up red flags for all of us. No one should have such vast sweeping powers over our telecoms. Again, I have built the case that we need better cybersecurity, but there is a big question mark here of whether we are giving too much power to one minister, one person, in all of Canada.

The bill also has a whole financial issue involved in it. To do anything, as it said, could have massive financial implications. Big companies such as Telus may be able to afford that, but our small telecoms may not be able to so much. It might bankrupt them. That is not great news, and there would be no financial component, in terms of compensation, for any of these losses, so there is a big question mark there as well.

Also, something of importance I find quite concerning is the way the bill is structured would result in a significant exchange of a lot of information from telecoms to the minister, which he could pass on to various ministers and government agencies. Is that very confidential information? It is certainly the cybersecurity plans. Does that include state secrets? Is it safe that we would be asking our telecoms this?

The second part of the bill involves all critical infrastructure companies in Canada, as was outlined by the minister, including provincial and Crown corporations, and the like, so the bill would really establish the process that all of these companies would have to provide their cybersecurity plans, and there would be a very strict reporting mechanism. We are talking about days, if not a few weeks, to get together these plans and provide them to the minister. There would be annual updates required. If a big company were to change a third-party provider, it would have to, in essence, immediately report that to the minister of industry.

There is a whole host of very cumbersome reporting mechanisms, and I do believe we need some of these, but a question remains, as I have outlined earlier, and the government is not immune to being hacked by cybercriminals. I just outlined three or four incidents when that happened. The bill would take all of our critical infrastructure, and all of companies' cyber-defence plans, along with countless other pieces of personal data of Canadians and others, and we would give that to the government. An argument could be made that this is needed, but where are the protections for that? Where is the defence of government to ensure that this would not end up in the wrong hands or that information is not hacked by cyber-actors?

That is a significant threat that needs to be addressed by the minister, and I was not assured from his remarks that this is something that is front and centre in his objective through the bill.

I would also say that there is a number of civil liberty organizations that have raised serious alarm as well. There was an open letter written to the minister from the Canadian Civil Liberties Association, the Canadian Constitution Foundation, the International Civil Liberties Monitoring Group, Leadnow, Ligue des droits et libertés, OpenMedia, and the Privacy and Access Council of Canada. All of the leaders of research and discussion of our civil liberties, all such major organizations in Canada, were quite alarmed by the bill in many ways and wrote an open letter to the minister that outlined a number of things.

In essence, they said the bill would grant the government sweeping new powers, not only over vast swathes of the Canadian economy, but also in intruding on the private lives of Canadians. To sum it up, and I think they said really quite well, “with great power must come great accountability.” There is great power in the bill, but the accountability side is lacking.

Before I go on to detail some of their concerns, I do want to outline what some other countries are doing. If we look at the U.S. and the EU, they have established similar bills in the past year or so. The EU actually has greater and more significant fines in many ways, and the U.S. provides more prescriptive and strict reporting mechanisms, such as, if a U.S. critical infrastructure company has a ransomware attack, the legislation outlines the company must report it to the government within 24 hours.

That actually might be something we may want to consider for the bill. If we are going to go there, we might as well have it in line with our American allies and make it tight. I do think that a reporting mechanism is one of the most important parts of this bill.

I want to go back to the civil liberties issue. With the government's track record on Internet regulation bills, such as Bill C-11 and others, a lot of people have their backs up about their personal freedoms online and their data, rightfully so. The civil liberties associations are raising some of the concerns that have not been assuaged thus far by the government or the Minister of Public Safety.

In the open letter, they mention that this, “Opens the door to new surveillance obligations”, which is quite concerning. In their view, and this has not been proven, “Bill C-26 empowers the government to secretly order telecom providers ‘to do anything or refrain from doing anything’”, as I mentioned. They believe that, if there was an abuse of this extreme power, it could be utilized by a government with ill intent, not to say that is the Liberal government's intent, but it could be utilized to survey Canadian citizens. It is quite concerning.

They go on in that realm to outline that the powers in this bill allow the administrative industry to terminate who telecoms work for, for example. They believe that could also be applied to individual citizens. They are looking at this and thinking, if a government wanted to punish a group of people, it could call up Telus, and this is very blunt and not overly academic in the way I am explaining it, to direct Telus it cannot do business with these people, cut off their access to the Internet and cut off their cell phones.

It is an extreme worst-case scenario, but it is worth flagging that there may be a bit of a backdoor in this bill that would allow that, should an evil government ever come along that is looking to abuse the civil liberties of Canadians. I would like to see that addressed and have safeguards put in place to prevent that type of abuse, should it ever happen in an extreme circumstance.

They also talk about how it “Undermines privacy” and that there are “No guardrails to constraint abuse”. Again, I think this is an area where opposition parties, in particular, and hopefully government members on the committee, can come together to ensure that there is an ombudsman put in place or an oversight body. We need something where the rights of companies, and more importantly of citizens, are protected from the abuses I have outlined, and there are many others.

There were also a lot of concerns from the Business Council of Canada. It wrote an open letter to the minister on behalf of large companies, and also small and medium-sized enterprises. In essence, what we are seeing is the red tape is extremely high, so we are worried that will impact our small and medium enterprises.

The business community, in general, has said that it seems that this bill, to sum it up bluntly, is all stick and no carrot. It is all hard-hitting. It is going to be super hard on us, and we better comply. I can hopefully go into more details about that in the question part of this debate, but there is no incentive structure built in.

There is no incentive to have companies share best practices with each other. I think the government should be a leader in encouraging the open sharing of best practices and experiences that protect the confidentiality of companies but allow them to share information, so other companies can be better equipped, and we can all work together as one big happy, cyber-secure family.

The Conservative Party of Canada is, first and foremost, concerned about national security and ensuring the federal government takes that leadership role in ensuring that Canada, as a whole, is secure against any possible threat, every eventuality, as the Minister of National Defence likes to say.

We are seeing serious gaps in our military. We can have stronger alliances in our Five Eyes intelligence sharing and other agreements. Certainly, that involves cybersecurity. Canada is vulnerable, like many countries in the world. In fact, most countries are dealing with these problems. The Conservative Party of Canada wants to see a more robust framework to incentivize and enforce reporting mechanisms to ensure our cybersecurity is protected, and to make sure there is not a ransomware attack on our pipelines in the middle of winter, which could kill thousands of Canadians from the cold, for example.

We will be looking to support this bill in going to committee, but I want to make it very clear that, if the issues in this bill, and I have outlined a few of them concerning privacy and impacts to business, are not addressed, the Conservative Party is ready to pull its support immediately and put up a very strong defence to stop this bill from going beyond committee. I want to make that very clear to the minister and the Liberal government.

We will get this to committee to hear from experts because we believe that is important, but it must be fixed. There are serious issues that need to be addressed and amendments that need to be made. I would ask Liberal members on the committee to get to work with us, so we can make this bill what it needs to be and make it better to ensure cybersecurity is protected in Canada today and for years to come.

Mr. Speaker, I thank my colleague from Winnipeg North for his remarks.

Indeed, I think such a bill was urgently needed. I commend the government's leadership and congratulate it on having understood the errors in Bill C-11 and making some improvements.

I met with the Minister of Innovation, Science and Industry in January, when it was time to think about developing this bill. I emphasized the importance of the Quebec legislation and of ensuring its primacy. I thank him for listening to me and for the respect evident in Bill C-27.

With respect to the urgent need to take action, Europe is putting a lot of pressure on us. Indeed, Europe has set guidelines and is currently threatening to withdraw its confidence in our artificial intelligence systems in Canada, particularly in the banking sector. It was necessary to act; better late than never.

I hope the principle will be adopted quickly, but more importantly, I hope that the committee work will be thorough and that the experts will be heard. This will be more than welcome.