Bill C-27

Mr. Speaker, one of the things we have seen over time from the Liberal government is building up bureaucracy, building up red tape and making things more difficult for people. Just as a general philosophy, any time we can strip away red tape, create efficiencies and take away bureaucracy, it is a good thing.

Of course, we need to have rules and policies in place. We also need to have the department serving Canadians, and that should really be its focus. It should be focusing on making sure people follow rules, but as soon as we get into difficult, bureaucratic regimes and a lot of red tape, it makes it more difficult for everyone.

Mr. Speaker, I would like to pick up on the question from my colleague from Beauport—Limoilou.

I would like to hear what my colleague from Kelowna—Lake Country thinks about the government's public data. Is it not time for the government to implement other ways to verify identity?

I am talking about at least a factor of two verifications, maybe even three. This may be data such as a password, but it may also be by voice recognition, by facial recognition, by text, and so forth. It may be time for the government to move on to something else.

Could we have more robust means of protecting Canadians' data?

Madam Speaker, I am not sure what the specific ideas might be but I think, in general, any time we can do anything to protect the privacy of Canadians, whether it is within government or within the private sector, whatever all those different levels are, it is a good thing. I know it is something people are extremely concerned about.

As I mentioned in my speech, I often get local residents reaching out to me about privacy concerns they have.

We need to do everything we can within our legislative powers to make sure people's personal privacy is protected.

Madam Speaker, I will be sharing my time with the wonderful member for Rosemont—La Petite-Patrie.

I am grateful for the opportunity to rise today on Bill C-27, which is an act to enact the consumer privacy protection act, the personal information and data protection tribunal act and the artificial intelligence and data act, and to make consequential and related amendments.

The amendments are what I am particularly interested in today. As New Democrats, we will be supporting this at second reading. We support the need to modernize Canada's privacy laws and establishing rules around data governance and empowering the Office of the Privacy Commissioner to bring enforcement actions to protect consumers and citizens.

This bill takes some of those steps. However, there is a need to ensure that reforms are robust and effective. In my opinion, a long list of amendments will certainly be required to achieve these goals.

I am going to be referencing two important works that have been presented. One is from the Centre for Digital Rights, entitled “Not Fit For Purpose - Canada Deserves Much Better”. From the title, we can note that there are some concerns with this bill.

However, we recognize that this privacy legislation must be amended because there are already glaring shortfalls in PIPEDA, which urgently needs updating.

Technology continues to evolve, and data-driven business continues to move away from a service-oriented approach to one that relies on monetizing personal information through mass surveillance of individuals and groups. While these businesses find new ways to expand their surveillance and methods of monetizing our personal information, Canadians' privacy is increasingly put at risk.

The GDPR is the bar that is currently considered the adequate level of protection. However, if we were to do a little bit of comparing and contrasting, we would see that this bill tends to fall short of this level in terms of what the European Commission has done.

What this means for us is that the ability for personal data to flow to Canada without any further safeguards is at risk. There has also been pressure from industry and advocacy groups, the privacy commissioners of Canada and abroad, and privacy and data governance experts. In fact, in this particular bill, we think that the government side has fallen short in its engagement with people; I will get to that in a moment.

When we are in these technological environments, it is an ecosystem that goes well beyond our borders. We are talking about what it is like—

I would ask members who are having conversations to please take them to the lobbies.

The hon. member for Hamilton Centre.

Madam Speaker, I am sure the hon. members from the other side are about to take some good notes on the recommendations we put forward. They are probably discussing among themselves how they can improve upon these serious gaps and have some public engagement on this.

We are not subject matter experts in this House when it comes to this type of technology. It is not clear whether there has been any public engagement specific to Bill C-27 as it is proposed. There was public engagement around the creation of Canada's digital charter, called the national digital and data consultations, that happened back in 2018. However, as I understand it, only about 30 or so discussions were held. That fell dearly short. The majority of digital leaders were from the private sector, and there were only a couple of universities involved. Therefore, it is unclear who the government is consulting with when it deals with this type of surveillance capitalism and the risks it presents to consumers.

Let us get right to the point. What are the gaps that exist in this legislation? How does Bill C-27 compare with the ideal privacy legislation? There are many gaps. Clearly, it does not compare to the GDPR; it also falls short of privacy legislation that is currently being proposed in la belle province of Quebec, in New Zealand and in the state of California.

For example, in California, the California Consumer Privacy Act, the California Privacy Rights Act and the Children's Online Privacy Protection Act have all presented more robust solutions to what is before us here today. In addition, there are privacy protections that come into effect under the CCPA that we should be considering.

We need to ensure that the protections that come into effect include the rights to know, to delete and to opt out of sale or sharing, as well as the right to non-discrimination. Under that legislation, consumers also have the rights to correct inaccurate personal information and to limit the use and disclosure of sensitive personal information collected about them. There is a lot out there that we should be considering when it comes to amendments.

I am going to list examples of gaps within this bill so they are on the record. The bill does not promote the development of data stewardship models. It does not require that organizations take into account the potential consequences to individuals and societies through such measures as privacy impact assessments of a breach of security or safeguards. There is no section in Bill C-27 expressly dedicated to cross-border dataflows.

There has been no privacy impact assessment done to address any additional risks, which should be identified, justified, mitigated and documented in such an assessment. There is no assessment of the broader level of privacy rights protections in foreign jurisdictions. This is a very important conversation, particularly this week in the House, that includes how Canadians' privacy rights can be enforced.

This bill does not include specific rules that are applicable to data brokers, and these are important third parties who are not service providers. There should be a fiduciary duty to individuals if data processors act as intermediaries between individuals and data collectors. This would ensure that such service providers only use personal information entrusted to them for the purpose intended by the individuals.

This bill does not provide the right to disposal with respect to search engines' indexing of personal information where it could cause harm to the individual's privacy or reputation. It does not include the language that was in PIPEDA regarding individual access where it provides an account of third parties to which personal information about an individual or an organization has been disclosed. There should be an attempt that is as specific as possible.

This bill does not include the right of individuals to express their points of view to a human who can intervene or to contest decisions. When we look at AI or how algorithms are working in society today, they are inherently flawed.

In fact, there is another study that I would reference, titled “AI Oversight, Accountability and Protecting Human Rights”, which has commentary on this. This was authored by a series of subject matter experts who gave a long list of needs for adequate public consultation and proper oversight of AIDI to effectively regulate the AI market in Canada.

The commissioner needs to be an independent agent of Parliament. We need to empower an independent tribunal to administer penalties in the event of a contravention, and we need to outline the best practices for auditing and enforcing the law. There are dozens of recommendations contained in both reports that, as New Democrats, we will be presenting to the government at the appropriate time at committee.

It is clear, from the body of the preliminary work that has been done, that this bill is inadequate as it stands. It is too big to adequately cover AI and consumer protections. It has always been our belief that those should be split up. That way we can have an investigation to ensure that consumer protections are met, that surveillance capital does not continue to profit off our most personal information and data and that, ultimately, we have safeguards with a robust and very firm platform on which these organizations, businesses, companies, and in some instances foreign countries, are held to account when they violate our rules.

Madam Speaker, I would like to thank my friend from Hamilton Centre. I see him all the time in our town, and we serve together on the Standing Committee for Access to Information, Privacy and Ethics.

I would ask whether he thinks there is urgency to this legislation, given the fast pace that this technology develops and that companies are using it to develop what can sometimes be invasive and can violate the privacy of Canadians.

Madam Speaker, it is clear that Moore's law has extrapolated over the inaction of the Liberal government for the last eight years. We absolutely should have moved on this. However, we need to do it right. It is important that we do not put a piecemeal effort forward to try to keep up with technology that has surpassed our grasps.

There are subject matter experts who know this material better than we do. We need to have an engagement with them at committee, and we need to be able to provide independent safeguards so that when violations happen the legislation actually has teeth to address it.

Madam Speaker, I am curious if the member would expand a little more on the artificial intelligence section of this bill.

Our reading of the bill is basically that the government has this vague definition of what artificial intelligence is and that it does not really know, but we should trust the government. The minister will define it all in regulation, will enforce the regulation, will investigate if one has broken that regulation and will impose fines on that regulation without ever having to go to Parliament to decide anything. Therefore, he is going to be judge, jury and executioner on artificial intelligence and on something the government has not defined.

I wonder if the member would comment on that.

Madam Speaker, that is an important question. Bill C-27 needs consistent, technologically neutral and future-proof definitions both to the consumer privacy protection act and the AIDA within Bill C-27. It should provide definitions for AI or algorithmic systems that are cohesive across both laws, and the definition for AI ought to be technologically neutral and future-proof. That is the question I just answered for the previous speaker. A potential pathway for regulation is to define algorithmic systems based on their applications, instead of focusing on the various techniques associated with machine learning and AI.

Madam Speaker, I appreciated hearing the member for Hamilton Centre's speech on Bill C-27. I would like to hear more from him, in particular on subclause 18(3). This section talks about a legitimate interest for an organization to collect a person's private information without consent.

There have been concerns shared here with respect to how open-ended this legitimate interest could be. I wonder if the member would reflect and share more about his concerns, if any, with the way the bill is currently written.

Madam Speaker, that is also an important question, because I think what the member did not reference, which I will reference specifically, are the instances where governments used this information.

I think that informed consent is an inherent right to privacy and protection. The AIDA must apply to government institutions, given that the AIDA only currently applies to the federal private sector, as government institutions are explicitly exempt from this. It is imperative that the AIDA's framework be brought in to include government institutions.

Let us be very clear. Individuals ought to always have informed consent about where their information and data go. There ought not to be situations, outside of warrants expressed through our legal system, that allow for the collection, maintenance and distribution of personal information online.

Madam Speaker, at the beginning of his speech, my colleague talked about the progress Quebec has made with Bill 25.

Bill C-27 appears to provide some protection or at least not go against Bill 25, but there is no real guarantee.

Does my colleague think that this is one of the changes that should be made to ensure that Bill 25 in Quebec is not hindered by Bill C-27 and that, instead, these laws complement one another?