Bill C-27

Madam Speaker, my colleague is probably hearing from constituents, as I am. The bill seems to be silent on the selling of personal data. It is silent on facial recognition. She mentioned the artificial intelligence part of it. It seems that the new artificial intelligence part of it was just jammed alongside, and there is not a lot of thought in there.

She did not comment on the concept of implied consent. I thank my Liberal colleague for bringing up the protection issues. The bill does mention the term “implied consent”. That would allow businesses to take a user's consent to use their data and information for new purposes without actually obtaining it. I wonder if she could comment on that and why it is so important to get that right.

Madam Speaker, I thank my colleague for his very relevant question. When it comes to consent, I believe that very clear guidelines need to be set in order to avoid ambiguity.

Why does the bill before us need so much study and deliberation in committee?

I think we will find that consent is a very particular aspect of this domain and that, as I said, we will have to set very clear and precise guidelines that cannot fail in practice. I believe the experts will enlighten us on this subject. I hope we will have the ability and the opportunity to hear from them during the committee study.

Madam Speaker, it is an important piece to talk about. Megacorporations, in particular those corporations that utilize AI and other digital tools, have been doing something nefarious, which is putting in these long, giant legal descriptions. Many people just scroll to the bottom of these and accept them. However, many people do not know how complicated those arrangements are that they are coming into.

I wonder if the member would talk about how dangerous it is to have such complicated agreements that regular folks are signing on to, while not knowing the explicit dangers and damages that come along with agreeing to those terms and conditions, like the ones we are talking about today and like the ones that are harvesting data. Would the member expand on that, please?

Madam Speaker, I will give a brief answer.

Cigarette packs have a warning label on them to indicate that smoking causes cancer. I think it will be important to include similar warnings about the security of our personal data on the Internet.

Madam Speaker, privacy is important, and I think nearly all Canadians agree on this. I presume that all members of the House agree on that as well. A generation ago, the Supreme Court also agreed; it said that privacy was something upon which our most basic and ancient expectations of liberty depend. The security of the person depends on privacy, and without a basic expectation of privacy, it is difficult to imagine how any freedoms and security can exist.

What about privacy in the digital age? There is a growing awareness of how both businesses and governments threaten people's privacy and their expectation of privacy. Over the last few years, Canadians have seen high-profile examples of gross violations of this basic expectation of privacy, from both the private sector and government.

Users of the Tim Hortons app were rightly appalled when they learned that a private business was tracking their movements without their knowledge or consent, well after they had ordered and purchased their products. We also heard about Home Depot and the sharing of emails without the knowledge or consent of its customers.

We have seen where Telus Mobility gave the Public Health Agency the mobility data of not only its own customers but any customers whose signals passed through its infrastructure. It did this without following Canada's existing privacy laws, which required the Public Health Agency to consult the Privacy Commissioner before obtaining or using that data.

There is a private corporation, Clearview AI, which is a business that scrapes billions of images of people's faces from across the Internet. It identifies these images however it can from whatever sources, public or whatnot, that it has and then sells these identified images to law enforcement agencies without the consent of the people whose faces and identities it sells.

These are examples of how both public and private institutions flout existing laws.

On the public side, we have seen how the Privacy Commissioner has been ignored by both PHAC and the RCMP. When knowledge of what they had done became available, it was clear that they had not followed the existing laws or consulted with the Privacy Commissioner. The RCMP even disputed the finding of the Privacy Commissioner that it had violated the act, treating it like some kind of matter of opinion with which it could disagree. It repeated that refusal to accept the Privacy Commissioner's finding at a parliamentary committee. The RCMP also used sophisticated spyware to hack cellphones. Again, it did so without consulting the Privacy Commissioner about the use of new technology and new investigative tools, which is required under existing law.

Therefore, we have a real problem with both businesses and the government, which does not take its obligations to Canadians' privacy seriously enough. The government has a problem with respecting Canadians' privacy, and it has a credibility problem around privacy-related issues.

In addition to these well-known breaches by law enforcement and law enforcement's casual attitude towards compliance with privacy law, there are enormous commercial incentives for businesses to use new technologies like facial recognition with artificial intelligence. We have studied these concerns at parliamentary committees, and we have heard experts testify about the dangers to Canadians from the potential misuse of artificial intelligence, both by businesses and law enforcement.

What happens when artificial intelligence goes wrong? Facial recognition technology has built-in biases. We have heard expert testimony about how the efficacy of facial recognition under existing software is best with middle-aged, white male faces. When an individual is a child, a senior, a woman or a person with a darker skin tone, these applications are far less likely to correctly match people. This may have life-changing consequences when we are talking about law enforcement, never mind all the potential commercial applications of AI for retail and other potential users.

In facial recognition, the images are often scraped from the Internet without the consent of the consumer. Consent and the system of consent are completely broken with privacy. This needs to be updated. I know that this bill tries to address this.

We all have these devices that are connected to the Internet. I think everybody in this chamber and most Canadians have had the experience of trying to obtain access to a new application or use a new device. One is confronted with an incomprehensible set of policies and disclosures with an “agree” button at the bottom. Even people who would actually undertake the painstaking process of reading through one of these enormous statements would generally get to the bottom and conclude they do not really understand what they are getting into. However, they need to proceed with whatever task is at hand, and they click “agree”. That is a very small number of people.

Most people just get to the bottom and hit the “agree” button. Nobody has any idea what they have agreed to. I think that a lot of Canadians are sadly resigned to the belief that clicking “agree” means giving up a part of their privacy. They know they are giving something up, but they do not really know what. They just shrug their shoulders and think there is just no way around it; there is no other alternative other than to hit the button.

There is no doubt that the consent model is thoroughly broken or that Canada's privacy laws need to be modernized. Does this bill cut it? I would say no. This bill is too vague. It has too few details and leaves too many unanswered questions to warrant support, even so far as a committee study. This bill is a missed opportunity to get something right that has long been wrong. The failures of the existing privacy laws have been known for a very long time. The government has had a long time to get it right, and it has not done so.

What we are debating is a bill that is consistently vague and leaves too many questions about what it does and what it fails to do. Furthermore, the concern is that if this bill passes, a number of these questions will simply be settled by the minister and departmental bureaucrats rather than through parliamentary oversight.

This bill still does not definitively answer questions about when and how consent for the use of personal information is collected. It talks about the need for plain language, which of course I agree with, but it offers significant exceptions and no details. The bill does not clearly define a series of new terms, including “sensitive information” as being distinct from other types of information.

Will this bill be compatible with the European Union's GDPR? Some call the GDPR the gold standard. I do not know if it is really golden, but there is a consensus that it is the best balance between commercial expediency and consumer privacy. We do not know if this bill is even going to meet up with it.

I wanted to get into a number of shortcomings that this bill has, but I am going to have to get to them in questions. However, I am not going to support it. It is not strong enough to warrant approval even as far as a committee study, although I understand the need for a bill that will address privacy.

With that I will let the questions follow.

Madam Speaker, 20 years after the need to see changes was shown, Bill C-27 is here.

The last time we saw changes, Facebook and iPhones did not exist. This is important legislation. Within it, to use a couple of examples, there are frameworks that allow for substantial fines and protection of Canadian privacy.

What we are hearing from the Conservative Party is that Conservatives do not want any of it. They are going to vote against the bill. The Conservatives are ultimately arguing that the bill is not amendable.

Does the member not see any value in the substance that is actually there to protect Canadians and empower things such as substantial fines?

Madam Speaker, while it is true that this bill contains the provision for substantial fines, who is going to be fined? Who would it apply to?

Will the tech giants, with their armies of lobbyists and lawyers, figure out the loopholes within all the ambiguity in this law? For a small business owner, who is not in the business of harvesting data but nevertheless must collect information to complete a transaction, will this just give more red tape and more potential liability while letting off the tech giants?

I do not know the answer to that question, and it should be clearer in this bill.

There appears to be a problem with the interpretation.

We will take a moment to fix the problem.

Things seem to have been fixed.

The hon. member for Trois-Rivières.

Madam Speaker, I just want to put a question to my hon. colleague from Calgary Rocky Ridge, with whom I worked on the ethics committee and who is knowledgeable about situations concerning access to information. It is a question that the people of Trois‑Rivières asked me when I was out in the community.

With the arrival of ChatGPT, is it not true that a large part of this bill will have to be rewritten because it has become obsolete due to this important change in the reality of access to information?

Madam Speaker, that is an interesting question, and the member may well be right. The bill certainly has a lot to catch up with. It has been, as has been pointed out, a long time since the existing law was updated. It seems to me that so many questions remain unanswered about problems that have been well identified by all sides in this chamber, yet they are not clearly and definitively solved by the bill. The emergence of new technologies, while we are not even coping with some that have existed for years, is a problem. We are in the third decade of the Internet age. A lot of this stuff is not new, and we are still catching up with decades of issues around privacy.

Madam Speaker, I am a little concerned with the Conservative position of not sending the bill to the industry committee as a co-operative approach to trying to fix problems in bills, which we are currently doing. I would like to know from the Conservatives exactly what it would take to at least move it to committee.

I have a lot of concerns about the bill. There are many issues that we have raised and spoken to. It is a fairly unfortunate position that we are going to leave it to Google and the Internet giants to basically rule over Canada, unobstructed, for the next couple of years, if we do not at least try to fix some of the problems that have been well identified.

Madam Speaker, if I was convinced the bill would do no harm, at a minimum, perhaps I would be inclined to send it to committee. I am not sure of that. If we send a bill that has this many holes in it and this many items that need to be fixed, I am not sure that can be done at committee. I am disappointed the government did not table a better bill.

Madam Speaker, I rise today to address the House with respect to Bill C-27, the digital charter implementation act, 2022. It is just a year or so behind.

Thirty-four years ago, the Supreme Court of Canada recognized that privacy was at the heart of liberty. Much has changed since 1989 and little more drastically than the continuous transfer of the private information of Canadians to other organizations. The questions we need to ask are these: What are the costs of and what are the benefits of the availability of Canadians' private information for the use of others?

Many organizations see themselves as supplying useful value to Canadians by being provided, whether by contract or by capture, private information that is not knowingly provided by citizens. Examples include service companies that recognize when a consumer might be able to save a percentage of their fees by bundling certain services. In such a case, the benefit of this information availability is shared by the consumer and the service provider.

Let us make no mistake. What drives the action by the service provider is profit, which is known as the greater share of wallet. Nevertheless, in such cases, the consumer sees the benefit of being included in the information sharing, whether they know it has occurred or they do not.

This apparently benign approach to gathering information has now stretched to our daily lives, where our computers, our phones and our in-home private intelligent assistants, like Siri and Alexa, are gathering information on us. When my sons are at their homes and use Siri, they say, “Siri, turn on”. They have figured out that Siri was listening the whole time. A lot of information is being culled. Do we know that our information, in that case, when we have not actually disclosed it willingly, is being used in a benign or creditable way? Which of that has become public information to be monetized by somebody else? That is what is occurring.

Large corporations are gathering data that is being sold to others for their own purposes. That supposedly benign relationship is now being passed to another organization, in that case, that is paying the information gatherer, and so on. There is no accountability mechanism to the individual for the benefit of the supply of one's information to flow.

There is only one measurement at play, and that is profit. One need only look at the incredible financial returns associated with these technological information-gathering companies, including the Googles, the Metas, the Amazons, etc. None of those are Canadian, by the way, and realize that the value-extraction industry is lopsided in their favour. At no time in human history have start-up companies, many without a tangible product, achieved such lofty valuations so quickly. Billionaires are created out of computer code, which provides what, exactly. It provides our information.

Value is created and destroyed in commercial markets. That is the economic engine that has led the western world to prosperity, but value is only traded in financial markets. Let us ask this: Is the culling and selling of private information, however obtained, creating value or transferring value?

In that respect, the intent of this bill is good. It is designed to modernize the protection of Canadians' digital privacy rights. It is past due, and it is important. It cannot be delayed by another prorogued Parliament or another unnecessary election call, as happened to the prior bill that was introduced to advance this issue in the last Parliament. The aim of this bill is good. The execution, I would say, is way off. I see a bureaucratic solution, designed by bureaucrats, for use by bureaucrats, with what would be a minor effect for the Canadian population in general. As we say, if you are a hammer, everything looks like a nail.

The design outcomes of this bill are increasing bureaucratic oversight. The personal information and data protection tribunal act would have six members and would be put together in a tribunal, three of whom would have experience in information and privacy law. Only three out of six, which is half, are going to have experience in the very laws that they would be overseeing.

This is going to be responsible for determining the severity of financial penalties. It would have a staff of 20 with a budget, along with a larger budget for the Privacy Commissioner, which already exists. Does anybody see any redundancy in this solution?

There is a litany of financial penalties listed through this bill and a host of requirements of all businesses, even small businesses, which are going to find the requirements of this bill onerous in the extreme. Joe's Garage is going to be treated with the same expectations as the Royal Bank and face the same potential penalties.

I will read from this legislation something that would scare any small-business person. This is about privacy management programs, as required under the legislation. It states that, “Every organization must implement...a privacy management program that includes the [organization's] policies, practices and procedures....”

It further states that, “...the organization must take into account the volume and sensitivity of the personal information under its control.” What does that mean, and how do we interpret that?

It also states, “...the organization must ensure, by contract or otherwise, that the service provider provides [substantially the same] protection....” Therefore, a businessman is going to need to ensure that something nebulous is not being provided by their service provider when forwarding information. Clearly, no one involved in this bill's design has even considered what this means for Canada's small-business community.

Here is the issue for Canadians. Who has the most information on Canadians? Governments, first of all. Who is likely to get information hacked? Those same governments.

This bill shows a complete lack of accountability by the government regarding how it might misplace or misuse Canadians' data. Is the government going to fine itself in such an instance? I doubt it. That would be a round-trip anyway, at that point in time.

Banks, secondly, have a lot of information about Canadians, and they use that information to increase their returns. They have large bureaucracies, large legal departments and government relations departments to stick-handle these fines. I should note, in this legislation, many exemptions are included. Therefore, we are building more bureaucracy. That is just what Canadians have elected us to do, I say very sarcastically.

On top of the 30% increase in federal government employees over the past six years, we are going to build more bureaucracy. What this bill should be doing is trying to strike a balance between business use of data and the fundamental protection of our privacy.

Let us quickly discuss some of the nefarious uses of digital information gathering. Let us go back to the pandemic, when CERB payments were given out to Canadians, and how many criminal organizations misused that government information to pilfer the pockets of Canadian taxpayers and get undeserved CERB payments into the wrong accounts. This is what happens when government information is pilfered, and this is the main problem with the privacy of Canadians' information.

My advice to the government is to get this bill moving. It is way behind other jurisdictions on this very important issue. Look at how the absence of privacy protection has affected Canadians, and take a look at where the value of Canadians' information has gone: to all the large American tech companies.

The government must listen to that input and the alternatives that are going to be put before it when it puts together this bill. Hopefully, the government amends this bill so it actually addresses the privacy of Canadians in a more complete manner. Listen to that input and to those alternatives. As the Supreme Court of Canada reiterated 34 years ago, Canada needs to recognize privacy as a right, so let us get to work in providing an outcome that actually safeguards Canadian's privacy.

Madam Speaker, I wanted to relate to the hon. member an experience I had back in 2014 or 2015. I saw something on Facebook that said it was Stephen Harper's birthday and to wish him a happy birthday, so I did. What the heck. I am a Liberal, and I know he is a Conservative. I disagree with what Mr. Harper did, but a birthday is a birthday.

Imagine my surprise when, after that, I saw posts online that put me down as a supporter of Stephen Harper. That did raise some questions among my family and others. That is an example of something that also needs to be paid attention to. How many times, for instance, have we been asked to fill out a personality test, or whatever, not knowing that we are giving all this information that could be used against us? I am wondering if the hon. member could reflect on that.