Bill C-27

Mr. Speaker, that may be a better question for the government to answer, but I do not believe this is the intent of this bill. This bill is about cybersecurity. The government has another bill before the House, Bill C-27, which is a bit closer to privacy changes. The government has not proposed changes to the Privacy Act or the Elections Act, so I do not think this bill is relevant to the question that the member raised. The member is getting away from cybersecurity and into the much broader rubric of the privacy of Canadians. She raises some points, but I do not actually connect them to this bill.

Mr. Speaker, it is a pleasure to rise and join the debate this morning in the House of Commons. I will be sharing my time with the member for Fort McMurray—Cold Lake.

Bill C-26 is a bill that addresses an important and growing topic. Cybersecurity is very important, very timely. I am glad that, in calling this bill today, the government sees this as a priority. I struggle with trying to figure out the priorities of the government from time to time. There were other bills it had declared as absolute must-pass bills before Christmas that it is not calling. However, it is good to be talking about this instead of Bill C-21, Bill C-11 or some of the other bills that the Liberals have lots of problems with on their own benches.

Cybersecurity is something that affects all Canadians. It is, no doubt, an exceptionally important issue that the government needs to address. Cybersecurity, as the previous speaker said, is national security. It is critical to the safety and security of all of our infrastructure. It underpins every aspect of our lives. We have seen how infrastructure can be vulnerable to cyber-attacks. Throughout the world, we have seen how energy infrastructure is vulnerable, like cyber-attacks that affect the ability to operate pipelines. We have seen how cyber-attacks can jeopardize the functioning of an electrical grid.

At the local level, we have experienced how weather events that bring down power infrastructure can devastate a community and can actually endanger people's health and safety. One can only imagine what a nationwide or pervasive cyber-attack that managed to cripple a national electrical grid would do to people's ability to live their lives in safety and comfort.

Cyberwarfare is emerging as a critical component of every country's national defence system, both offensively and defensively. The battlefield success of any military force has always depended on communication. We know now just how dependent military forces are on the security of their cyber-communication. We see this unfolding in Ukraine, resulting from the horrific, criminal invasion of that country by Putin. We see the vital role that communication plays with respect to the ability of a country to defend itself from a foreign adversary, in terms of cybersecurity.

I might point out that there is a study on this going on at the national defence committee. We have heard expert testimony about how important cybersecurity is to the Canadian Armed Forces. We look forward to getting that report eventually put together and tabled, with recommendations to the government here in the House of Commons in Canada.

We know that critical sectors of the Canadian economy and our public services are highly vulnerable to cyber-attack. Organized crime and foreign governments do target information contained within health care systems and within our financial system. The potential for a ransom attack, large and small, is a threat to Canadians. Imagine a hostile regime or a criminal enterprise hacking a public health care system and holding an entire province or an entire country hostage with the threat to destroy or leak or hopelessly corrupt the health data of millions of citizens. Sadly, criminal organizations and hostile governments seek to do this and are busy creating the technology to enable them to do exactly this.

The Standing Committee on Access to Information, Privacy and Ethics conducted three different studies while I was chair of that committee that were tied to cybersecurity in various ways. We talked about and learned about the important ways in which cybersecurity and privacy protection intersect and sometimes conflict. We saw how this government contracted with the company Clearview AI, a company whose business is to scrape billions of images from the Internet, identify these images and sell the identified images back to governments and, in the case of Canada, to the RCMP.

We heard chilling testimony at that committee about the capabilities of sophisticated investigative tools, spyware, used by hostile regimes and by organized crime but also by our own government, which used sophisticated investigative tools to access Canadians' cellphones without their knowledge or consent. In Canada, this was limited. It was surprising to learn that this happened, but it happened under judicial warrant and in limited situations by the RCMP. However, the RCMP did not notify or consult the Privacy Commissioner, which is required under Treasury Board rules. This conflict between protecting Canadians by enforcing our laws and protecting Canadians' privacy is difficult for governments, and when government institutions like the RCMP disregard Treasury Board edicts or ignore the Privacy Commissioner or the Privacy Act, especially when they set aside or ignore a ruling from the Privacy Commissioner, it is quite concerning.

This bill is important. It is worthy of support, unlike the government's somewhat related bill, Bill C-27, the so-called digital charter. However, this bill, make no mistake, has significant new powers for the government. It amends the Telecommunications Act to give extraordinary powers to the minister over industry. It is part of a pattern we are seeing with this government, where it introduces bills that grant significant powers to the minister and to the bureaucrats who will ultimately create regulations.

Parliament is really not going to see this fleshed out unless there is significant work done at committee to improve transparency around this bill and to add more clarity around what this bill would actually do and how these powers will be granted. There have been many concerns raised in the business community about how this bill may chase investment, jobs and capital from Canada. The prospect of extraordinary fines, without this bill being fleshed out very well, creates enormous liability for companies, which may choose not to invest in Canada, not fully understanding the ramifications of this bill.

There is always the capture. We have seen this time and time again with the government. It seems to write up a bill for maybe three or four big companies or industries, only a small number of players in Canada, and yet the bill will capture other enterprises, small businesses that do not have armies of lobbyists to engage the government and get regulations that will give them loopholes, or lawyers to litigate a conflict that may arise as a result of it. I am always concerned about the small businesses and the way they may be captured, either deliberately or not, by a bill like this.

I will conclude by saying that I support the objective. I agree with the concern that the bill tries to address. I am very concerned about a number of areas that are ambiguous within the bill. I hope that it is studied vigorously at committee and that strong recommendations are brought back from committee and incorporated into whatever the bill might finally look like when it comes back for third reading.

Can I just follow up on that? Seeing all of the accounts of this C-18 legislation in reference to your company and the precedent it's supposed to set globally for you, I would have thought that at least you would send your CEO to speak to a country that represents 38 million people—or to the House of Commons that represents 38 million people.

I will move on to my next comment or question. I just spoke two days ago in the House of Commons about Bill C-27 and its implications for Canadians' privacy. Google once attempted to build a smart city in Toronto that would have collected massive amounts of personal and very private information for money. The basis of your business is surveillance, and you make a lot of money doing it.

We now see you as a company threatening Canadians that you will be censoring, or you have censored, 4% of the news content in Canada.

I have a simple question. Yes or no, do you think it's okay to block any news content to Canadians?

Madam Speaker, I am looking at Bill C-27 and wondering what we make of the fact, and I know he commented on this, that we have three different bills that are all put together and only one is really new. We have seen the privacy pieces and the repeal of PIPEDA in the former Parliament's Bill C-11. The bill before us relating to artificial intelligence and high-impact AI and regulating that is essentially an entirely different scheme of legislation. Would the Conservatives agree that they should be split so we can examine them separately? I think that is already their position. What does the hon. member say to that?

Madam Speaker, it is a pleasure for me to speak to Bill C-27 in the House today, a bill that deals with issues related to privacy, as well as the way that the government interacts with large corporations to protect, or not, the privacy of Canadians.

I want to say at the outset that I am deeply concerned by the fact that the government has clearly been captured by certain corporate interests. It is important to distinguish in this discussion between corporate interests and the idea of a free market. As Conservatives, we believe very much in the importance and value of a free market and a competitive market, a market that is legitimately a challenging and competitive place for businesses that have to compete with each other to have the best products, where some businesses come in to challenge and steal market share away from other businesses and so forth, where there are not gatekeepers preventing new entrants coming into business. We celebrate free markets and the competitive aspect of free markets rather than a situation in which a small group of large corporations is able to dominate and exercise undue and inappropriate power.

In this House, different parties have different dispositions when it comes to corporations. We have the NDP that generally takes kind of an anti-business approach in general, we have my party that champions the free competitive market and we have a government that is, sadly, captured by specific corporate interests, often at the expense of the free market, as well as at the expense of individual well-being. Paradoxically, the NDP, while it criticizes the government for that, is fundamentally complicit with the government in, on the one hand, criticizing its agenda as it relates to defending corporate interests, but, on the other hand, supporting the government and providing it with the supply it needs to continue in its misguided approach.

What we see in terms of the government's relationship with large corporate interests at the expense of the free market and individual well-being is clear across a broad range of cases. We could talk, for instance, about the government's fondness for specific companies in terms of outsourcing and procurement, how it has repeatedly gone back to McKinsey to do work that in fact could have and should have been done within the public service, despite McKinsey's track record in so many different areas. We can talk about the fact that while the public service has grown, outsourcing under the government has expanded dramatically. We can talk about how it has pushed companies to implement forms of political discrimination, such as freezing people's bank accounts. We can talk about a number of the violations of individual privacy and liberty that happen through the government's close relationship with corporations.

I will say, in general, there is this emerging concept of woke capitalism or stakeholder capitalism that I think we need to be thoughtfully critical of, this idea that large corporations should be making definitive determinations and forcing those implementations on the country using their power and that governments can push corporations to push woke ideas or particular views of the common good that arise not through free democratic deliberation, but that come about because of pressure from corporate interests. We see the government's fondness for this kind of woke corporatism approach, where it tries to pressure companies to align with and push its views on various issues.

Again, Conservatives are very supportive of competitive marketplaces where businesses are doing business, not assuming a preferential position in social values debates, where businesses have to compete to survive, where new businesses are able to compete with old businesses and where we support the development of new small businesses so that we do not have a concentration of corporate power, but, rather, a well-functioning, effective market economy. That is the vision that Conservatives are defending.

Let me talk specifically about the issue of privacy and how we see the working out of the government's kind of approach to and relationship with big corporations in terms of their approach to privacy.

I am very pleased the Conservative Party uses and has a member-driven policy document. On issues like this, if one would like to know where Conservatives stand, it is not just a matter of Conservative caucus discussion but it is also a matter of drawing from the work that hundreds of thousands of Conservative Party members do, deliberating at the riding level, having discussions, proposing ideas and bringing those to a convention that then leads to a standing policy document that helps to define and frame the values that Conservatives stand for. I know our Conservative Party is deeply committed to the idea of grassroots democracy and the role our members play in all aspects of decision-making.

That is very important, and in this particular context, we see that playing out in the area of the policy declaration. Our policy declaration recognizes the fundamental right people have to privacy. As a Conservative caucus, we are supportive in advancing and bringing to the House that view about fundamental rights, a fundamental right to data privacy that has come to us through the involvement of our members but that also reflects the widely held perspectives of Canadians beyond our membership, a fundamental right around the protection of data.

This bill, Bill C-27, could have mirrored the language from the Conservative Party policy declaration. It does not. It does not recognize the fundamental nature of rights around data privacy. Rather, it talks about kind of striking a balance between people wanting to have their privacy protected but also the fact there are certain corporate interests. There are interests of corporations the government is close to that might be negatively affected if we recognize the fundamental right to privacy of Canadians, so it effectively seeks to say there should be some balance between the idea of protecting people's rights and the fact there may be certain large corporations whose interests would be negatively affected by recognizing the privacy rights of Canadians.

In particular, although the bill speaks about a balance at a general level, it is so, to borrow a word from the member opposite, “flexible” that it creates space one could effectively drive a truck through, with so many different exceptions and exemptions that it is not really effectively protecting the privacy rights of Canadians.

A member opposite, in a speech just given, said that this is a flexible framework, that the bill is flexible. Well, flexibility is not always a virtue. In particular, it is flexible for who? Who is doing the flexing? Who is the one who is able to bend the bill back and forth to their own will and interests? I would suggest the flexing is not being done by the individual who is supposed to own their own data, the flexing is being done by these corporate interests the government is close to.

Even if one believes this should be a balanced approach, it is not a balanced approach. It is a highly “flexible” approach in which the bending and twisting is done by the particular interests the government has been and always I suspect will be close to until we are able to have a new government in this country that respects fundamental rights, respects privacy and believes in a free competitive market in which businesses compete instead of where particular corporate friends of the government are protected.

I want to draw the attention of members to specific sections in here that identify broad exceptions in the legislation. Subclause 18(3) would allow the organization or business to use a person's information if they have a legitimate reason for doing so. That is pretty flexible. If one wants flexible, we are going to say this data cannot be used in a certain way unless there is a reason to do so. I would submit most people who do things think they have a legitimate reason for them. Others might not think they have a legitimate reason, but to say people's data can be used as an exception if there is a legitimate reason, there likely could be no broader conceivable exception than that one.

However, there are more exceptions even, if that one were not enough. The legislation, for instance, in subclause 15(5), refers to “implied consent”, so apparently in the case of privacy legislation, consent is not so sacrosanct, because companies can interpret an implied consent in this context.

There are clear problems with this legislation in terms of the particulars, but we can understand broader than the particulars the motivation or the value set that is behind this bill, which is that the government is once again trying to defend corporate interests instead of defending privacy and a genuinely competitive free market.

Madam Speaker, I am so pleased to rise today to speak to the digital charter implementation act, 2022. With Bill C-27, our government is showing leadership in a new digital world. Privacy is important to the residents of my riding of Hamilton Mountain. It is important to all Canadians. This legislation would not only benefit consumers, it would allow companies to innovate, compete and thrive.

The world I grew up in is significantly different from the world in which my son is growing up. This bill gives me confidence that we will be able to take advantage of the latest technologies, while at the same time be assured that our personal information is safe and secure.

I want to specifically talk about the consumer privacy protection act and how it sets out a balanced approach to compliance and enforcement.

Canadians clearly want their personal information to be handled responsibly, and they want meaningful consequences for organizations that break rules to gain some advantage. Canadians want fair punishment for truly bad actors.

According to a survey published by the Office of the Privacy Commissioner, 71% of Canadians have refused to provide their personal information to an organization because of privacy concerns. In an earlier survey, this same percentage of Canadians said that their willingness to share their personal information would increase if they knew the organization would face financial consequences should their information be mishandled. Such consequences are clearly an important tool for enhancing privacy protection for Canadians and also for helping organizations comply with the law right from the start.

The consumer privacy protection act, or CPPA, will assist companies to get privacy right and the escalating enforcement approach will correct problems as they arise.

The new privacy law incentivizes organizations to step up and improve their privacy practices at the outset. The CPPA will also provide the Privacy Commissioner with a key role in helping them do so.

Under the CPPA, businesses will be able to ask the Privacy Commissioner to review the policies and practices that make up their privacy management program, which will assist them in complying with the law. The commissioner can also ask to review such programs. This is a very important step in the early detection and serves to correct problems at the outset.

Privacy management programs cover a wide range of privacy considerations: how companies manage service providers; how they respond to breaches; when to undertake privacy risk assessment; employee training; complaint handling; and so on. Under the CPPA, the Privacy Commissioner will be able to examine these policies and practices outside of an investigation. The goal is for the commissioner to give advice and make recommendations.

The CPPA will prevent the commissioner from using what he or she has learned in these reviews in any enforcement action unless the organization willfully disregards recommendations. We think this would be very rare, but if it happens, action can be taken.

The approach provides an appropriate space in which the commissioner can provide advice and companies can take proper action. At the same time, the commissioner will be able to gain insights on how the law is implemented in real-world situations, thereby being able to better advise organizations on the challenges they may face in the privacy space.

Essentially this approach builds on the Office of the Privacy Commissioner's current business advisory function, which has proven successful in encouraging compliance through engagement rather than enforcement. By allowing for the review of privacy management programs, the CPPA provides businesses with a safe place to seek and obtain advice and implement compliance solutions at the onset. We believe this will help prevent privacy issues before they have an impact on individuals.

We know Canadian companies will be very interested in this part of the new law, particularly smaller companies and start-ups, and I can probably think of a few in Hamilton Mountain.

The CPPA recognizes that a one-size-fits-all approach does not work for privacy. Some organizations deal with minimal amounts of personal information; for others, it is central to their business model. That is why the CPPA allows organizations to develop their privacy management programs according to the volume and sensitivity of the personal information that they handle, and why the commissioner must also take this and a company's revenues into consideration during the exercise of the role under the law.

Another important protection under the new act is the ability of the Privacy Commissioner to review the risk assessments and mitigation measures that organizations must do if they rely on a brand new exception to consent for activities in which they have legitimate interest.

Under the CPPA, the Privacy Commissioner will continue to undertake research and publish guidance. It is a long-standing role and important in helping organizations meet their compliance obligations. It is a role that we wholeheartedly support.

The bill would ensure that organizations build privacy considerations into their products and services from the beginning. Working with organizations, giving guidance, this is a fundamental role of the Privacy Commissioner. We want to be proactive here. We want to prevent problems before they have a harmful impact on individuals.

However, there will be organizations that do not have the right practices. There will be others that have the right practices but still make mistakes. This law provides individuals with the right to complain about an organization's privacy policies when they appear to be offside with the law. The right to complain is considered to be a fundamental principle in all privacy statutes.

Under the CPPA, like PIPEDA, the Privacy Commissioner also retains the ability to initiate a complaint investigation when there are reasonable grounds to do so. This is an important role because filing a formal complaint is not always obvious. Maybe some people will not know there is a problem; maybe they do not have time to make a complaint. This is where the Privacy Commissioner should be able to take action when intelligence gathering from media reports and their own research indicate that there could be potential trouble.

CPPA encourages the early resolution of problems and provides for dispute resolution. Over the years, through its active early resolution approach, the Office of the Privacy Commissioner has successfully been able to resolve many complaints with limited formality.

The CPPA maintains such tools for the commissioner. For example, compliance agreements, introduced relatively recently under PIPEDA, remain in the CPPA. Pursuing these agreements allows companies to work out an acceptable resolution with the commissioner, without the commissioner resorting to more formal measures, like orders. However, resolution will not always be possible or desirable. Sometimes the commissioner will need or want to consider stronger measures.

Under CPPA, the commissioner will have the power to issue orders to compel an organization to take necessary actions to bring the organization into compliance. This is a new power and a key improvement over PIPEDA.

Prior to issuing such orders and to ensure fairness, the Privacy Commissioner's office will need to go through a new process, called an inquiry. Once the inquiry is completed, the commissioner will issue findings and a decision, and will make orders as necessary to an organization to change its privacy practices.

As part of this process, the Privacy Commissioner may also recommend administrative monetary penalties to a new tribunal for certain contraventions of the law. The possibility of significant fines for non-compliant organizations, fines of up to 5% of global revenue or $25 million, whichever is greater, for the most serious offences, is another key improvement over PIPEDA.

A key part of the new enforcement regime, the personal information and data protection tribunal is being established to hear appeals of the commissioner's decisions. If required, it will also decide whether to issue a monetary penalty and, if so, the amount.

Industry stakeholders say that we need impartiality in enforcement decisions, given the different roles of the Privacy Commissioner. This was particularly the case for any proposals involving monetary penalties, which have the potential to significantly affect an organization.

The new privacy law will support additional due diligence in decisions to impose monetary penalties by introducing an inquiry phase before issuing orders, and by separating the imposition of penalties from the commissioner's other responsibilities.

We know that some organizations will challenge the commissioner's orders and recommendations, and we do not want to burden the courts. This is another reason for introducing a new tribunal. It is intended to be more accessible than the courts. It will ease access to justice for the individual and the organization.

After the previous version of this bill was tabled, stakeholders told us it needed more privacy expertise. We listened and this version of the CPPA has the necessary privacy expertise to ensure credibility.

Madam Speaker, that is a very important point. I have a seven-year-old son, and he is starting to play games on my iPhone and whatnot.

We cannot say that Bill C‑27 will protect children because this bill does not include a definition of sensitive information, which we need.

Madam Speaker, we are here today to debate Bill C-27, the digital charter implementation act. With this bill, the government seeks to bring Canada's consumer privacy protections up to date, to create a tribunal to impose penalties on those who violate those protections and to create a new framework on artificial intelligence and data.

For my constituents, I think the most important question is this: Why are consumer privacy rights important? Our personal information has become a commodity in the modern world. Businesses and organizations regularly buy, sell and transfer our personal data, such as our names, genders, addresses, religions, what we do on the Internet, our browsing history, our viewing and purchasing habits, and more. This happens so often that it is almost impossible to know who has access to our sensitive data and what they do with those personal details. Unfortunately, this bill fails to adequately protect the privacy of Canadians and puts commercial interests ahead of privacy rights.

The first part of this bill is the consumer privacy protection act, and I will note, as many others have during this debate, that it is really three bills in one. It is the largest part of this bill and brings in new regulations on the collection, use and sale of the private data of Canadians. I will cover three issues that I have found in this act in the first part of this bill.

The first issue relates to how organizations may collect or use our information without our consent. Subclause 18(3) states:

(3) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use

Without defining what a “legitimate interest” is, this subclause risks giving organizations free rein to define “legitimate interest” in whatever way suits their own commercial interests.

The second issue I will cover relates to how the bill would protect the privacy rights of children. Subclause 2(2) states:

(2) For the purposes of this Act, the personal information of minors is considered to be sensitive information.

However, nowhere in this bill are the terms “minor” or “sensitive information” defined. This will lead to confusion about how the personal information of children should be handled, and will ultimately lead, in my opinion, to weak protection of that information. There is also no other provision in this legislation that regulates the collection and use of children's personal data.

Every parent in the House of Commons is very concerned about their child going on Minecraft and about their interactions with other people and other gaming sites. This bill does not do enough to protect children in the context of online gaming.

The last issue I will raise in this act relates to when organizations can rely on implied consent to collect and use personal data. Subclause 15(5) states:

(5) Consent must be expressly obtained unless, subject to subsection (6), it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.

This subclause highlights that the bill lacks a clear definition of “sensitive information”. This means that organizations will have free rein to determine when they can rely on implied consent, and they will be free to decide what information is or is not deemed sensitive according to their interpretations and not the legislation's interpretation.

The second part of the bill relates to the creation of the new personal information and data protection tribunal act. The bill would create a new semi-judicial body with the power to levy financial penalties against those who violate the CPPA, the first part of the act. I question whether this tribunal would be able to enforce the penalties outlined in clause 128, which are tied to global revenue and a proportion of profit in the previous fiscal year.

How does the government plan on ensuring accurate figures? Does the government really believe that it will go after Google in a global context, hold Google accountable and collect up to 4% or 5% of Google's global revenue? It is farcical.

We need very clear and very big amendments to this section. We need to question whether we even need a tribunal, because if it is in charge of enforcing clause 128 of the bill, I already know it is going to fail.

Under the third section of the bill, the artificial intelligence and data act, new provisions would be created that apply to the private sector. However, this bill does nothing to address the relationship between government and artificial intelligence.

Right now in Parliament, we are debating Bill C-11, which talks about the government's use of algorithms in the context of the CRTC. This bill has rightly infuriated Canadians across the country who are concerned about how the government would determine what people say and do on the Internet and where they would be directed. Why is the government not trying to apply the same standards upon itself as it is trying to apply on private corporations?

I want to address some other key oversights in the bill.

First, in the U.K., EU and even Quebec, certain personal details, such as race, sexuality and religion, are given special protection in comparison with other personal information. Why does the government believe the most identifiable aspects of our personal information are not worthy of being defined as sensitive information in the context of privacy law?

Second, the bill does nothing to regulate the sale of personal data. I am reiterating this point. In a world where the sale of personal data has become an integral part of our economy, why is the government not concerned with setting clear rules on how data and what kinds of data can be bought and sold, especially in the context of children?

Third, the bill fails to regulate the use of facial recognition technology. The RCMP used Clearview Al's facial recognition database, which was illegally created. Why does the government not think it is appropriate to ensure this never happens again?

Fourth, the consumer privacy protection act and the personal information and data protection tribunal act proposed in this bill are nearly identical to the acts proposed under last Parliament's Bill C-11. The consequence is that Canada's consumer privacy laws will be out of date by the time they come into force.

This bill was an opportunity to put forward strong regulations on the collection and use of personal data, but it failed to meet some basic criteria and thresholds. While the increased penalties for violating the act are welcome, they are watered down by the implementation of a tribunal that would take months or potentially even years to make a decision and levy fines. It is even questionable whether such a tribunal could actually do what it is purported to be responsible for.

Do we really need privacy legislation that fails to protect the privacy of Canadians? Do we really want privacy legislation that fails to put consumer interests ahead of corporate interests? Do we really want privacy legislation that fails to protect the personal information of children? Do we really want Al regulations that do not apply to government? Frankly, the government needs to withdraw Bill C-27, break it up into different parts and come back to Parliament after it has looked at the drawing board again and done something a little more comprehensive.

Madam Speaker, this is my first opportunity to get in on the debate on Bill C-27 today, and I have to say that my thoughts resonate a great deal with those mentioned by the hon. member for Windsor West in his pointing out that this is three bills in one.

To focus on the part that is completely new, artificial intelligence, I find that there is a great deal of tautology when we look at the bill. For instance, it says that we will know what a high impact of artificial intelligence is if it “meets the criteria for a high-impact system that are established in regulations.” There are a number of other places like this, but we do not have regulations yet. When will we know what the bill means?

Madam Speaker, I thank my colleague. I would simply like him to answer the following question.

Since Quebec already has its own privacy legislation and it works very well, does my colleague not think that Bill C‑27 should clearly state that it will not contravene Quebec's legislation?

This should be stated in the bill.

Madam Speaker, I rise today to speak about Bill C-27. I will focus on the artificial intelligence and data act, but before that, I would like to briefly talk about the overall digital charter implementation act.

Canadians have never been more reliant on the digital economy, yet the current privacy law was last updated over 20 years ago, before iPhones or Facebook even existed. In the new digital economy, enhanced privacy would not only benefit consumers but allow companies to innovate, compete and thrive. We are now at a juncture where, over the next few years, the rules of the road for digital privacy and AI are being written and entrenched. That is why it is crucial to have clear rules when it comes to this sector. For Canadians to prosper and benefit from the digital economy, they need to have confidence that their data is safe and trust that their privacy is being respected.

That is why the government has introduced this legislation, which would ensure that Canada has critical protections in place. Bill C-27 would ensure that Canadians have first-class privacy and data protection and that companies that break the rules face severe consequences, some of the steepest fines in the world. It would also hold organizations to a higher standard, in particular when it comes to protecting the personal information of minors by giving them and their parents more power over their information, including the ability to have it deleted. With Bill C-27, we are moving beyond traditional privacy protection to ensuring data control for all Canadians. Canadians can be reassured that we will never compromise on the trust and safety of their privacy.

Over the last decade, artificial intelligence technologies have been expanding rapidly and have been benefiting Canadians in a variety of ways. These technologies are evolving rapidly and with that, there is an increase in risk and harms due to the use of AI systems, whether intentional or unintentional. The artificial intelligence and data act, or AIDA, would establish rules to promote the responsible use of AI and the related governance practices. The framework would ensure that the development of AI systems has to include plans to mitigate bias and harm and that organizations are accountable for their practices.

The AIDA seeks to regulate international and interprovincial trade and commerce in artificial intelligence systems by requiring that certain persons adopt measures to mitigate risks of harm and biased output related to high-impact artificial intelligence systems. The act would provide for public reporting and would authorize the minister to order the production of records related to artificial intelligence systems. The act would also establish prohibitions related to the possession or use of illegally obtained personal information for the purpose of designing, developing, using or making available for use an artificial intelligence system in an intentional or reckless way that causes material harm to individuals. This would ensure that Canadians have strong privacy protections and clear rules of the road for business, as well as guardrails to govern the responsible use of artificial intelligence.

This bill would provide Canada with adequacy within the European Union's GDPR framework and international interoperability on privacy. Further, it would enable Canada to remain on the cutting edge of artificial intelligence development. This bill would help us to build a Canada where citizens have confidence that their data is safe and their privacy is respected, while unlocking innovation that promotes a strong economy.

The University of Toronto’s Schwartz Reisman Institute for Technology and Society studied this bill, and I would like to quote from an article written by policy researcher Maggie Arai:

As technology continues to advance and permeate almost all aspects of modern life, it has become necessary for regulators to grapple with how to best regulate it. New ways of collecting and processing personal information necessitate new regulations to protect those whose information is being collected, analyzed, and sold—often whenever they visit a new website or sign up to a new app like Facebook or TikTok. Advances in artificial intelligence (AI) are also top of mind for many regulators, posing unique risks and challenges that must be addressed. The recently tabled Bill C-27 represents Canadian regulators’ efforts on both fronts.

She goes on to say:

The Artificial Intelligence and Data Act (AIDA) is the federal government’s first attempt to comprehensively regulate artificial intelligence. Canada is not alone in this: AIDA comes in the wake of similar initial attempts at AI regulation by other governments around the world, such as the European Union’s 2021 AI Act and the United States’ 2022 Algorithmic Accountability Act. AIDA, like the EU’s AI Act, takes a risk-based approach to regulating AI. However, it is worth noting that Canada proposes categorizing AI based on whether it is “high-impact,” while the EU uses the language of “high-risk.” AIDA is also far less prescriptive than the EU AI Act. The draft Act is quite short, with much room left for the enactment of provincial AI laws as well as further federal regulation....

She continues:

A person becomes a “person responsible” for an AI system if they design, develop, make available for use, or manage the operation of an AI system in the course of international or interprovincial trade and commerce.

The major requirements contained in AIDA for “persons responsible” for AI systems include ensuring the anonymization of data, conducting assessments to determine whether an AI system is “high-impact,” establishing measures related to risks, monitoring and keeping records on risk mitigation, and requirements for organizations to publish a plain-language description of all high-impact AI systems on a public website. If at any time the Minister has reasonable grounds to believe that a person may be in contravention of these requirements, the Minister may order that person to conduct an audit into the possible contravention, or engage an independent auditor to conduct the audit.

She goes on to say:

The tabling of Bill C-27 represents an exciting step forward for Canada as it attempts to forge a path towards regulating AI that will promote innovation of this advanced technology, while simultaneously offering consumers assurance and protection from the unique risks this new technology...poses.

She also states:

There are also sections of C-27 that could be improved, including areas where policymakers could benefit from the insights of researchers with domain expertise in areas such as data privacy, trusted computing, platform governance, and the social impacts of new technologies.

She goes on to say:

To ensure that the powerful new technologies that shape our world today benefit everyone, it’s essential that our policies are well-informed—especially when it comes to how technical systems work, how they interact with our legal infrastructure, and how they impact society. As we approach the implementation of this landmark regulation, it’s critical that Canadians are engaged and informed on these topics and ready to make their voices heard.

I will now quote from an article written by the law firm of McCarthy Tetrault, which states:

Bill C-27, if adopted into law, is set to have a significant impact on businesses by creating new requirements for those who make, use, or work with AI. The bill imposes several new obligations on the AI sector which are backed by serious penalties for non-compliance.

Madam Speaker, I rise today to address the House with respect to Bill C-27, the digital charter implementation act, 2022. It is just a year or so behind.

Thirty-four years ago, the Supreme Court of Canada recognized that privacy was at the heart of liberty. Much has changed since 1989 and little more drastically than the continuous transfer of the private information of Canadians to other organizations. The questions we need to ask are these: What are the costs of and what are the benefits of the availability of Canadians' private information for the use of others?

Many organizations see themselves as supplying useful value to Canadians by being provided, whether by contract or by capture, private information that is not knowingly provided by citizens. Examples include service companies that recognize when a consumer might be able to save a percentage of their fees by bundling certain services. In such a case, the benefit of this information availability is shared by the consumer and the service provider.

Let us make no mistake. What drives the action by the service provider is profit, which is known as the greater share of wallet. Nevertheless, in such cases, the consumer sees the benefit of being included in the information sharing, whether they know it has occurred or they do not.

This apparently benign approach to gathering information has now stretched to our daily lives, where our computers, our phones and our in-home private intelligent assistants, like Siri and Alexa, are gathering information on us. When my sons are at their homes and use Siri, they say, “Siri, turn on”. They have figured out that Siri was listening the whole time. A lot of information is being culled. Do we know that our information, in that case, when we have not actually disclosed it willingly, is being used in a benign or creditable way? Which of that has become public information to be monetized by somebody else? That is what is occurring.

Large corporations are gathering data that is being sold to others for their own purposes. That supposedly benign relationship is now being passed to another organization, in that case, that is paying the information gatherer, and so on. There is no accountability mechanism to the individual for the benefit of the supply of one's information to flow.

There is only one measurement at play, and that is profit. One need only look at the incredible financial returns associated with these technological information-gathering companies, including the Googles, the Metas, the Amazons, etc. None of those are Canadian, by the way, and realize that the value-extraction industry is lopsided in their favour. At no time in human history have start-up companies, many without a tangible product, achieved such lofty valuations so quickly. Billionaires are created out of computer code, which provides what, exactly. It provides our information.

Value is created and destroyed in commercial markets. That is the economic engine that has led the western world to prosperity, but value is only traded in financial markets. Let us ask this: Is the culling and selling of private information, however obtained, creating value or transferring value?

In that respect, the intent of this bill is good. It is designed to modernize the protection of Canadians' digital privacy rights. It is past due, and it is important. It cannot be delayed by another prorogued Parliament or another unnecessary election call, as happened to the prior bill that was introduced to advance this issue in the last Parliament. The aim of this bill is good. The execution, I would say, is way off. I see a bureaucratic solution, designed by bureaucrats, for use by bureaucrats, with what would be a minor effect for the Canadian population in general. As we say, if you are a hammer, everything looks like a nail.

The design outcomes of this bill are increasing bureaucratic oversight. The personal information and data protection tribunal act would have six members and would be put together in a tribunal, three of whom would have experience in information and privacy law. Only three out of six, which is half, are going to have experience in the very laws that they would be overseeing.

This is going to be responsible for determining the severity of financial penalties. It would have a staff of 20 with a budget, along with a larger budget for the Privacy Commissioner, which already exists. Does anybody see any redundancy in this solution?

There is a litany of financial penalties listed through this bill and a host of requirements of all businesses, even small businesses, which are going to find the requirements of this bill onerous in the extreme. Joe's Garage is going to be treated with the same expectations as the Royal Bank and face the same potential penalties.

I will read from this legislation something that would scare any small-business person. This is about privacy management programs, as required under the legislation. It states that, “Every organization must implement...a privacy management program that includes the [organization's] policies, practices and procedures....”

It further states that, “...the organization must take into account the volume and sensitivity of the personal information under its control.” What does that mean, and how do we interpret that?

It also states, “...the organization must ensure, by contract or otherwise, that the service provider provides [substantially the same] protection....” Therefore, a businessman is going to need to ensure that something nebulous is not being provided by their service provider when forwarding information. Clearly, no one involved in this bill's design has even considered what this means for Canada's small-business community.

Here is the issue for Canadians. Who has the most information on Canadians? Governments, first of all. Who is likely to get information hacked? Those same governments.

This bill shows a complete lack of accountability by the government regarding how it might misplace or misuse Canadians' data. Is the government going to fine itself in such an instance? I doubt it. That would be a round-trip anyway, at that point in time.

Banks, secondly, have a lot of information about Canadians, and they use that information to increase their returns. They have large bureaucracies, large legal departments and government relations departments to stick-handle these fines. I should note, in this legislation, many exemptions are included. Therefore, we are building more bureaucracy. That is just what Canadians have elected us to do, I say very sarcastically.

On top of the 30% increase in federal government employees over the past six years, we are going to build more bureaucracy. What this bill should be doing is trying to strike a balance between business use of data and the fundamental protection of our privacy.

Let us quickly discuss some of the nefarious uses of digital information gathering. Let us go back to the pandemic, when CERB payments were given out to Canadians, and how many criminal organizations misused that government information to pilfer the pockets of Canadian taxpayers and get undeserved CERB payments into the wrong accounts. This is what happens when government information is pilfered, and this is the main problem with the privacy of Canadians' information.

My advice to the government is to get this bill moving. It is way behind other jurisdictions on this very important issue. Look at how the absence of privacy protection has affected Canadians, and take a look at where the value of Canadians' information has gone: to all the large American tech companies.

The government must listen to that input and the alternatives that are going to be put before it when it puts together this bill. Hopefully, the government amends this bill so it actually addresses the privacy of Canadians in a more complete manner. Listen to that input and to those alternatives. As the Supreme Court of Canada reiterated 34 years ago, Canada needs to recognize privacy as a right, so let us get to work in providing an outcome that actually safeguards Canadian's privacy.

Madam Speaker, 20 years after the need to see changes was shown, Bill C-27 is here.

The last time we saw changes, Facebook and iPhones did not exist. This is important legislation. Within it, to use a couple of examples, there are frameworks that allow for substantial fines and protection of Canadian privacy.

What we are hearing from the Conservative Party is that Conservatives do not want any of it. They are going to vote against the bill. The Conservatives are ultimately arguing that the bill is not amendable.

Does the member not see any value in the substance that is actually there to protect Canadians and empower things such as substantial fines?

Madam Speaker, we are talking about Bill C-27, an act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other acts. The length of the bill's title is commensurate with the work that will be required of legislators.

Obviously, the Bloc Québécois will be voting in favour of the bill, since we have wanted it for quite some time. Quebec is actually already ahead of the curve on this issue. We absolutely must send Bill C-27 to committee so we can hear from experts who will point out the flaws in the bill, shed light on how to improve it and put some flesh on the bones, so to speak.

There are too many details in terms of the areas of action and application, and we cannot look at them all too quickly. We need some clarification, and that is to be expected. The committee needs to hear from a wide range of witnesses. The bill must not pass too quickly. What matters is taking our time in committee. That is what taking responsibility looks like, if we want Internet users to do the same.

On November 28, 2022, the Speaker of the House made the following decision regarding Bill C‑27:

...two votes will take place at the second reading stage.... The first will be on parts 1 and 2, including the schedule to clause 2. The second will deal with part 3 of the bill.

Thus, if the House votes against the AI portion, work on Bill C‑27 will continue without that portion. If the House votes in favour of the bill in its entirety, it will go to committee. Even if we vote in favour of the AI portion at second reading, there is still an opportunity to vote against it at third reading. That sort of latitude is important.

The Personal Information Protection and Electronic Documents Act has needed reform for years. A digital charter is urgently needed. Canada's privacy law is pre-digital, if not prehistoric. Today's context is completely different from that of the 2000s.

Bill C‑27 is also a response to the strict and ambitious European privacy legislation, the General Data Protection Regulation. We already know that without an adequate legislative response, it will become impossible for European organizations to exchange information with countries or international organizations that have not adopted legislation as strict as theirs.

If Bill C‑27 is not well structured and up to date, Canada will not meet the European Union's expectations. I consider that to be important and very serious.

In Canada, the financial sector is beginning to worry, and it is putting pressure on the government because it fears losing a portion of its European market. That makes sense.

There is less pressure in Quebec because our laws are already compliant, or almost. What is governed by Quebec is already relatively protected. The problem is when two levels of government overlap and one is inadequate. For example, Mouvement Desjardins is already prepared, but the same cannot be said for Fiducie Desjardins, which is the Ontario counterpart. It is the former Trust Royal, an Ontario trust company.

It is troubling, for example, that Ontario does not have updated privacy and artificial intelligence legislation when we do and that even the same institutions with the same names do not have the same laws.

However, even though this is an urgent issue, we cannot take a scattershot approach and let the most important things get lost in the shuffle.

Let us talk about protecting individuals. In many ways, Bill C‑27 seeks to protect individuals' anonymity. It puts the individual and the idea of consent back at the centre of reflections on digital exchanges. To date, in Canada, organizations have been given a free pass and they have taken advantage of the digital wild west to share personal information without any legislation to stem their greed. Bill C‑27 will not only limit and restrict their excessive freedom, but it will also give them responsibilities.

Bill C‑27 creates a tribunal. It sets out three types of sanctions for those who contravene the act. The first is administrative monetary penalties, or fines, which work for road violations, at least. The other two are criminal and penal offences.

Bill C‑27 is clearly binding and it has real power.

Privacy protection is a shared jurisdiction. Even if Bill C‑27 gives the impression that it will be consistent with Quebec's new Bill 25 on privacy protection, as currently drafted it offers no such guarantee. The government must ensure that Bill 25 is substantially similar to Bill C‑27 and stipulate it by decree. We understand that Bill C‑27 is not intended to infringe on Quebec's legislation. This needs to be confirmed in committee.

Let us now talk about artificial intelligence, more specifically about individual identification. There are currently three ways to identify an individual, either with a password or social insurance number, biometric data and voice recognition and our possessions, such as text messages, phone calls and so forth.

Currently, European law requires companies to rely on two of those ways, and maybe three, eventually. Bill C‑27 needs to legislate on this as well.

There is also the variable of sensitive personal information. Inspired by European law, Quebec's Bill 25 on privacy protection defines information as sensitive if “due to its nature or the context of its use or communication, it entails a high level of reasonable expectation of privacy.”

On that point, although Bill C-27 does not define what sensitive data is, its meaning will guide the development of cybersecurity measures. In other words, the AI legislation enacted in Bill C-27 will serve as the foundation upon which more ambitious legislation will have to be built so that we can more adequately regulate the AI environment. It is a good start, albeit a late one.

In closing, I would point to the many feats of artificial intelligence. This is a process of imitating human intelligence that relies on creating and applying algorithms in a dynamic computing environment. We have all seen the Prime Minister responding in a fake interview where he can be heard making false statements. The sound and image were really similar. It was uncanny.

It has also been shown that artificial intelligence can create works of art whose similarities are so close to the original creation that they could compromise its original value. I am a songwriter, and, thanks to the ChatGPT concept, one could take the various characteristics of each of my 80 original songs and make an 81st that would have essentially the same melodic flourishes and the same kinds of metaphors. I confess that this troubles me immensely.

We all understand the potential scale of this kind of thing and how it can have all kinds of repercussions. However, we have also been told that, for science, this tool can be revolutionary as long as we have a legislative framework that is adapted to the current state of AI and future-proofed for developments to come. What worries us is the minister's stated intention to pass the bill quickly. Bloc members believe the committee should take all the time it needs to hear from a broad range of witnesses so we can identify and fix the bill's grey areas and blind spots.

The government indicated openness to slowing the work down. Will it do as we ask? We hope so. If that is how it works out, that would be good.

AI is more about the data analysis process and the ability to do that thoroughly than about a particular format or function. That is why we have to deal with the issue carefully and understand its impact so we can make the necessary legal framework as good as possible. Doing that means taking the time for an in-depth study of Bill C‑27.

Here again, Quebec is the leader of the pack, and others would do well to follow suit.