Bill C-27

Madam Speaker, it is an honour to rise once again in this place as we resume debate on Bill C-27, the digital charter implementation act.

During discussion of this bill and related issues, we are not going to get anywhere if we do not start to recognize that privacy is a fundamental right. This is what Conservatives believe and is where we are coming from when we talk about the positive or negative aspects of this piece of legislation. Not only is it true, but it has to be a priority. That is what Canadians expect from us and that is the message we are delivering to the current government. It is also what has been echoed by many of our constituents as we get emails or phone calls from people who are concerned about this bill and about this issue in general.

The world we live in is rapidly changing and the pace of change seems to be getting faster as we go. It is really amazing what people can achieve with digital technology, yet it has also left us in a more vulnerable and insecure position. There are many ways to intrude upon and violate our privacy that did not exist before, and it is safe to say that this trend will continue in the coming years.

If it was not clear already, it is easy to see now that we have to do more than respond to the changes simply as they come. Instead, we need to do our absolute best to think ahead and make sure that our efforts to protect privacy will not become outdated shortly after we pass any kind of bill into law. It is the least we can do if we are serious about preparing our country for the future, but it is true that, before we can do that, we first have some catching up to do.

Our current privacy legislation is long overdue for an update. It has been 22 years since Canada updated its privacy legislation. Twenty-two years ago, the Internet was basically a new phenomenon, and only about half of Canadians were online. Back then, I think Joe Sakic was the MVP of the NHL, and I was only 13 years old, so a lot has changed in that time.

Today, the Internet is a valuable tool used daily by the majority of Canadians. Generally speaking, people basically are living online. We use social media to connect with family, friends and professional networks. We use a GPS to get directions to move from place to place and navigate around our cities and towns. We have online banking to manage our finances. However, at the beginning of the new millennium, pretty much the majority of this was unheard of. In fact, I think we can all remember what we thought was going to potentially happen on Y2K and the implications it was possibly going to have on technology, which thankfully never came to fruition.

It has been years since the Liberals announced a new data strategy for Canada, which also has not become a reality. The promise also came four years after they formed government. It has now been about as long from then until now. After such a long time, Canadians are still waiting for someone to provide higher standards for the use and collection of their personal data.

So much of what we do these days involves an exchange of our data. Facial and fingerprint recognition are used for security, along with our passwords. Digital maps and search functions track our locations in real time. Many of us upload and share an overwhelming amount of personal information on social media accounts and platforms. We are constantly giving our data to different online companies in order to use their services. People feel comfortable enough to do all this because there is a voluntary loss of privacy for the sake of convenience, but this arrangement also requires a deep level of trust. It could not exist otherwise.

Whenever there has been a breach or loss of that trust, the problem of privacy becomes more obvious. There have been organizations exploiting the trust of people to sell their personal information without authorization. In some cases, the data has gone to places that are not working in their best interests.

I am sure, Madam Speaker, like many people in the House, when you go to a website it asks you if you accept the cookies, for example. Obviously, people just accept and go on there because they want to read the articles. What they do not realize is what they are agreeing to when it talks about what is going to happen with their search history or different aspects that might be invaded by those cookies. Therefore, we have to get serious about privacy. We have to mean it when we say that we recognize that privacy is a fundamental right.

The first draft of Bill C-27 says in the preamble, “the protection of the privacy interests of individuals with respect to their personal information is essential to individual autonomy and dignity and to the full enjoyment of fundamental rights and freedoms in Canada”.

Of course, I am not going to disagree with that. I believe it is good for a law to make a statement like this. However, it is also true that we can and should take it a step further in the same direction. Why not have this type of statement included in the text of the bill instead of only in the preamble? That way, it would more likely be stronger for enforcement and interpretation by the courts. With the situation we are in today, it is worth making our privacy law as strong as possible, and this would be a simple way for us to set the right tone. That is something we are calling for.

This is one example, among many, of how Bill C-27 could be improved with some amendments. Conservatives want to make sure we update our legislation in the right way. After all, in this area of privacy, we should not settle for less.

There is more that can be done to fill the gaps in our privacy law. If the government does not accept stronger legislation, it will simply be insufficient. The law must ensure that the privacy of our citizens would be respected by the activities of government and business. Canadians are the owners of their data, and corporations should ask for consent if ever they hope to collect, use or disclose a client's information.

Instead, the Liberal government still has loopholes with respect to privacy. Corporations can still operate with implied consent instead of express consent, which is freely given, specific, informed and unambiguous consent. What happened with Home Depot and Facebook shows how relying on implied consent can go wrong. In this case, a person could ask for email receipts from Home Depot. Their email address, as well as details of their purchase, were given to Meta, which then matched the person with a Facebook or Instagram account.

When brought to court, Home Depot claimed that it had the implied consent of customers to share their emails with whomever it pleased. When I shopped at Home Depot, I never gave my email address to it, but it never once asked me if I was okay with sharing that data with somebody other than for its own transactional purposes.

We have a lack of clarity, which is not protecting the consumer as much it should be. Implied consent has been losing relevance over time. In our context, it creates headaches for customers who are going about their regular business. They expect one thing and later find out that something much different is going on with their personal data. Even if they agreed or simply went along with something, they rightly feel misled by what happened. That is not informed consent. Our peer countries have been moving away from this. Europe's general data protection regulation has been heralded as the gold standard for privacy laws, and it has done away with implied consent.

Going back to discussing Home Depot, it also said that anything people bought there would be classified as “non-sensitive”, which is something this bill fails to define. Vague language will not favour our citizens in the end. With the Home Depot case, we can see that the law could be interpreted by larger organizations to allow them to do what the law actually intended to restrict. We should clearly define “sensitive information”, and it needs to apply to everyone.

Another vague part of this bill is the implementation of the right to disposal. Bill C-27 would allow the user to request that their data be destroyed, but clarification is needed regarding anonymization and the right to delete or the right to vanish.

At the end of the day, this bill is like many announcements the Liberal government likes to make. It sounds good, but the incompetence, the vague language and failure to close loopholes mean that it would not do what it says it would do. However, it should not surprise anybody if a Liberal bill has significant weaknesses and gaps on the issue of privacy. It is hard for Canadians to take the government seriously based on its own record. It has not shown respect for privacy.

We have seen a government agency use location data from cellphones for tracking purposes. We have seen law enforcement access Clearview AI's illegally created facial recognition database, and, of course, last year we saw the public doxing of online donors. While that was happening, the Liberals decided to mess with the bank accounts of Canadians, and some of those people had not even made donations themselves and certainly had not committed crimes.

It is easy for things to go wrong when there is government overreach, but today the federal government has an opportunity to modernize and protect our country for the problems we face in the 2lst century. If it does not listen to us and fails to make the right decisions, it would be truly shameful.

Madam Speaker, we are here today to talk about Bill C-27. It has got a big fancy name: an act to enact the consumer privacy and protection act. I worked on this extensively as former chair of the Standing Committee on Access to Information, Privacy and Ethics. A big part of what we talked about was Canadians' privacy.

I want to lead off with a question that I think all who are watching here will want an answer to by the end of what I have said, and I hope I get there. Can we trust this government when it comes to privacy?

We have heard many accounts. We have heard of foreign interference. We have seen evidence that that has been happening under the government. We cannot even keep track of all the ethics breaches.

There was a recent article in the National Post about Canadians' data, and many folks out there would remember this, called “Canada's public health agency admits it tracked 33 million mobile devices during lockdown” and it read, “The Public Health Agency of Canada accessed data such as cell-tower location to monitor people’s activity during lockdown, it said”.

Can we trust this government? I think the answer is becoming more and more clear.

What have we done to protect consumer privacy? I was, again, part of that ethics committee. We formed an international grand committee of nine countries, representing half a billion people, where we really tried to tackle this and get to some better practices for big tech.

Cambridge Analytica was a scandal where big tech was getting our information. Many points are being collected, and 53,000 points of information is what we heard was the Facebook average amount they are collecting on us, and that is being sold to the highest bidder. It is being used to not only give us a choice on what cereal we should buy in the morning but also surveil us to make predictive behaviour so we will kind of go in the direction they want us to go.

We Conservatives saw a need to have a better, more robust policy, so I will read from our constitution, our policy, which I was part of drafting, along with many other EDAs from across the country. This is from the Conservative Party:

The Conservative Party believes digital data privacy is a fundamental right that urgently requires strengthened legislation, protections, and enforcement. Canadians must have the right to access and control collection, use, monitoring, retention, and disclosure of their personal data. International violations should receive enforcement assistance from the Canadian Government.

That is just a little snapshot of what we have been doing over here. We would hope that legislation like this would address some of those privacy concerns. What we learned and what many are hearing from this debate is that there are huge exemptions for big tech, huge ways to use consumer data in ways that, first of all, consumers do not want their information being used for, and they do not even know how their information is being used.

I am going to get into some of the critics of Bill C-27. I will read from an article today by a young man, Bryan Short, who has some concerns around Bill C-27. Referring to Bill C-27, the article says:

...this change opens the door for companies to begin describing their data collection and surveillance practices in a highly simplified manner, leaving out important details about how this information could be used to harm and discriminate against a person or group of people, and ensuring that the data broker economy continues to thrive while people in Canada’s privacy rights are pushed to the side.

Well, according to the Liberals, this is what this bill is supposed to be addressing. Here, we see simplified consent. That is something that we have supported too. It should be something that we can understand, but not to be abused in this manner, where the fine print is down here and we just check that little box to make ourselves feel good that we have done it. We feel like our data or our privacy is protected, but it really is not.

I will read on: “But with deceptive design practices already being regularly used to encourage people to click 'agree' without really understanding what they’re signing up for, Bill C-27’s weakening of consent could be a big step backwards in terms of privacy.”

I will keep reading, as I have a little bit more from this particular author. We talk about the right to request deletion, and that is part of one's data that is online.

In reference to Bill C-27, the article says, “What’s lacking is a mechanism for when people change their mind about consenting to the collection and use of their personal information, or if they’re opposed to the use of their data and consent wasn’t required at all”.

We have seen the exemptions. They are a big haul. My colleague from Edmonton just referred to those exemptions. We want some better pieces of legislation. I applaud the effort. The previous privacy commissioner Therrien was excellent in caring about Canadians' data and really pursuing a solution for it and defending Canadians. I applaud him for that.

However, I am going to go on to another critic whom I have gotten to know very well from being on the committee, and from his work in Canadian information and how important that is to protect. He is a man named Jim Balsillie, a stranger to none of us in this place and former part owner of BlackBerry. I will read from the article from the Globe and Mail called, “Privacy is central to human well-being, democracy, and a vibrant economy. So why won’t the Trudeau government take it seriously?” The article, written by Mr. Balsillie, states:

Privacy is a fundamental human right that serves as a gateway to other rights and freedoms such as freedom of expression, individual and collective autonomy, and freedom from harassment or invasion. Privacy is critical for the healthy development of the human brain, identity, close relationships and social existence.... “True realization of freedom, that is a life led autonomously, is only possible in conditions where privacy is protected.”

We absolutely agree that privacy is a fundamental human right. I will go on, as this helps explain what Mr. Balsillie is referring to in that paragraph. The article continues:

Behavioural monitoring, analysis and targeting are no longer restricted to unscrupulous social-media companies, but have spread across all sectors of the economy, including retail, finance, telecommunications, health care, entertainment, education, transportation and others.

I have told many high school classes an example of this. We learned that people's data is being monitored in real time, so when standing in front of a display at a big box store, it is known that one happens to be standing in front of a certain brand of headphones, so people should not be surprised if they get an ad for these particular headphones, and why they should buy them, before they leave the store. In a good way, it is incredible, but it is scary in other ways too with the predictive nature of having all that information.

Mr. Balsillie goes on to criticize the current Liberal government. He says:

Yet, Canada's federal government has repeatedly failed to take privacy seriously and construct a legal and regulatory framework that protects the rights of Canadians in the digital age...the Digital Charter Implementation Act, normalizes and expands surveillance and treats privacy as an obstacle to corporate profits, not as a fundamental right or even a right to effective consumer protection. After years of cozying up to Big Tech and meeting with its lobbyists as often as twice a week, the Canadian [Liberal] government is finally coming to terms with the fact that the digital economy needs to be regulated.

The act expands surveillance. It does not reduce it.

I asked initially this question: Can Canadians trust the Liberal government? The Liberals are pretty close to big tech guys. I will use the example that many have been talking about, which are smart cities. That conversation was brought up many years ago and as recently as just a few years ago. Our efforts at the ethics committee were to really push back on this invasion of privacy and that a particular smart city in Toronto, Sidewalk Labs, would have been an invasion of Canadians' information. The Sidewalk Labs project would monitor data on many levels, and it has connections to the current Liberal government. I will read from an article, which states, “Sidewalk Labs project gained support from Trudeau in 2017 call ahead of bid process”.

Madam Speaker, as it stands now, federal laws do not require federal political parties to follow the same privacy laws that apply to others across the country. This is an issue that could have been identified and addressed in Bill C-27, but it has not been. I wonder if the member for Edmonton Manning has a position on this and would he like to comment on it.

Madam Speaker, last week, the federal government banned the use of the TikTok app on government devices because of data privacy concerns, so it is very appropriate for us to be discussing this matter today. Digital data privacy can be seen as a fundamental right, one that urgently requires strengthened legislation, protections and enforcement. Canadians must have the right to access and control the collection, use, monitoring, retention and disclosure of their personal data.

This is a pressing issue. Realizing that, the European Union introduced the GDPR, its General Data Protection Regulation, in 2016. EU countries were given a couple of years to adapt to this new privacy reality, with the regulation coming into effect in 2018. The GDPR has been used by many other countries as a framework for privacy protection.

With the GDPR as an example, and faced with a changing digital data universe, the government basically did nothing to protect data privacy for Canadians. Perhaps that is an unfair statement. After all, digital and online data privacy was addressed in the last Parliament under Bill C-11. The Liberals recognized that Canada needed to bring its privacy laws into the 21st century.

However, that bill was never passed. Apparently, data privacy was not a big enough issue to be made a priority, and the digital charter implementation act was scrapped in favour of an election that Canadians neither wanted nor needed. Now we are asked once again to address this subject. It is indeed better late than never. I would have hoped, though, that with the delay, the government could have improved on what it is proposing.

Perhaps if the government had moved a little faster, Canadians would not have had to question how their data was being used and how their privacy was being invaded by governments and corporations. We are left to wonder how many privacy breaches have gone undetected or unreported. The ones we know of are disturbing enough. Tim Hortons used its app to track customer movements. The RCMP used Clearview AI’s illegally created facial recognition database. Telus gave customer location data to PHAC.

It has been more than 20 years since Canada’s existing digital privacy framework, the Personal Information Protection and Electronic Documents Act, PIPEDA, was passed. With technological changes in recent years, legislation is needed to address subjects such as biometrics and artificial intelligence. We have to consider how Canadians understand the issue of consent when it comes to the use of their data and their privacy.

I am deeply concerned and disappointed with how sloppy the Liberal approach in Bill C-27, the digital charter implementation act, 2022, currently is. Privacy is a fundamental right. This bill does not mention that, despite the Supreme Court of Canada having acknowledged it. We need to clearly distinguish the extent to which Canadians’ digital privacy will be protected. If the government wants the bill to be fully effective, it needs to further explore the scope of accountability required when privacy is breached.

The clear definition of consent is a major improvement from what it once was in the Personal Information Protection and Electronics Document Act, but a good definition is only the beginning. Because technology has greatly expanded and evolved since the implementation of PIPEDA, should we not also expand the umbrella of activities that consent would cover? The large number of exemptions allowed would weaken the impact of the legislation.

Bill C-27 may be a good beginning, but I had hoped for something better. It is sad that the bill’s title is perhaps the strongest statement in the legislation. While the title gives some idea of what the legislation is all about, it is already dated. We are no longer in 2022, and the Liberals are once again falling behind.

As parliamentarians, we know the power of words and the importance of speaking in a way that can be understood by those receiving the message. It is important that legislation can be understood. It is even more crucial that the bills we pass spell out exactly what we intend.

Perhaps the most important part of any of the laws is the section that provides definitions. They need to be clear and comprehensible and not subject to differing interpretations that weaken the intent of the legislation. Legislation that allows each person to provide their own definitions is problematic. Bill C-27 uses words such as “significant impact” or “sensitive information”. I cannot help but question what is covered by these vague terms.

Before the people of Edmonton Manning sent me to represent them in the House, I was a businessman. I understood the importance of safeguarding the personal information my customers entrusted to me and not to abuse that trust. However, as we have seen, some companies make unauthorized use of the information they gather to gain a competitive edge or for profit.

With that in mind, there must be a balance between acceptable use of data by business and the fundamental protection of our privacy. It seems to me that the balance is wrong on this bill, given the way it addresses user consent and the use of collected information.

The more I read Bill C-27, which 100 pages-plus, the more questions I have. There is too much in it in need of clarification. Yes, that will be done when it goes to committee after second reading, but the government could have presented a better bill to make the committee’s work easier.

I do not want to sound too negative. I know the Liberals mean well, even if they do not seem to be able to quite understand just how important digital privacy is to Canadians in the 21st century. I am pleased therefore to see that they understand that sometimes mere words or a scolding are not enough.

It makes sense to me that the Privacy Commissioner will receive new powers to enforce violations of the consumer privacy protection act. That may be the most impactful change the legislation brings about. It is not enough to simply recommend that perpetrators stop their violations. Any parent could tell us that consequences are needed if we want to ensure improved behaviour.

With the Privacy Commissioner finally being able to force violators to conform to the rules, I think we will see increased respect and better treatment of Canadians' personal information. The harsh financial penalties for non-compliance will be a powerful motivator.

Given the amount of time the Liberals had before presenting Bill C-27, we must question why they did not come up with a better bill. They have left me, and all Canadians, asking if they really understand what their own legislation is supposed to do.

Does the consumer privacy protection act, as proposed in the bill, do enough to properly protect Canadians’ personal information? The Liberals had a chance to look at the EU’s GDPR and see how well that worked. Did they learn anything?

Would Bill C-27 improve the protection of Canadians’ personal information or are there so many exemptions for needing consent in the sharing of personal information that the words of the bill are meaningless?

Would the legislation create proper protections for Canadians’ biometric data? Given that no such protection currently exists, perhaps we should be thankful that the subject is addressed at all.

Is it reasonable to exempt security agencies and departments, such as CSE, CSIS and DND from AI regulations? How do you balance privacy and security concerns?

Canadians’ digital privacy and data needs to be properly protected. This bill is a flawed attempt to start the long overdue overhaul of Canada’s digital data privacy framework. The Conservatives will be looking at putting forward some common-sense amendments at the committee stage to ensure we have the best possible legislation.

Madam Speaker, right now, Bill C-27 does not explicitly apply to political parties. We know there have been privacy breaches and the misuse of data in the past in the political area. Does the member think this kind of legislation should be amended to include political parties?

Madam Speaker, it is a privilege to rise in this House.

Another day, another debate about an NDP-Liberal piece of legislation about Internet freedom in Canada. The good folks on the west side of Saskatoon have heard me speak in this place about Bill C-11 and Bill C-18, two bills aimed at controlling what Canadians see and post on the Internet.

Today we are dealing with Bill C-27, which is aimed at protecting the online data of Canadians. This legislation is meant to put safeguards around the use of artificial intelligence and establish rules around Internet privacy. Sounds good, sounds noble and sounds like something we should support. To a certain degree I do support these initiatives.

However, I have deep reservations with this legislation as it exempts the Government of Canada from these very safeguards. Do we as Canadians need the protections in this bill from companies? Absolutely, but we also need protections from government, especially this NDP-Liberal coalition government that wants to take away some of our liberties and freedoms.

Some on the other side may accuse me of fearmongering about the NDP-Liberal suppression of civil liberties and freedoms on the Internet; I am not. Let me lay out the facts, and the people in Saskatoon West can decide for themselves.

Bill C-11 is the first piece of legislation meant to strip of us of our rights to free speech on the Internet. Conservatives such as myself and free speech advocates have been warning that the provisions put in place by the NDP-Liberals to have government-appointed gatekeepers decide what is acceptable speech or not in Canada will lead to disaster.

We have already seen that a prominent University of Toronto professor has been threatened with the revocation of his licence and livelihood for tweeting out against this legislation and the current Prime Minister. Imagine what would happen when the Prime Minister has the full weight of the law to simply muzzle this type of speech. Anyone who disagrees with him would be silenced and would be fined, lose their livelihood, and what is next, go to a re-education camp? We all know about the Prime Minister’s fondness for the basic dictatorship of the People’s Republic of China, heck, he does not even mind if the People's Republic of China funnels money to his family foundation and tilts elections towards the Liberal Party of Canada in this country.

How about the second piece of legislation meant to limit our Internet freedoms, Bill C-18? That legislation allows government-appointed gatekeepers to decide what is or is not news in Canada, and forces private companies to block content they do not like from their feeds and search engines.

If there is a story critical of the NDP-Liberal coalition and the Prime Minister, they call it fake news and ban it. If there is another fawning story by Andrew Coyne in The Globe and Mail about the Trudeau Foundation and the Chinese Communist Party, it is forced to the top of everyone’s news feed and search engine, like it or not.

When I spoke about Bill C-18 in December I warned of the consequences that this legislation would have. Specifically, I mentioned conversations I had with Google and Amazon Web Services and the impact on how they deliver services to Canadians. Google flat out told me it would simply get out of the business of delivering any and all news to Canadians as it did not want to become an instrument of the Canadian government to spread partisan messaging for the party in power. Just last month it began beta testing how it could shut down its news services for Canadians.

We need a 21st century solution to this problem, not one based on ideas from 40 years ago. Bill C-27 is supposed to protect people’s data from corporations. We need that but what we need, as well, is protection from this NDP-Liberal government when it comes to privacy.

Bill C-27 completely fails us in that area. The government has dragged its heels on Internet privacy for years, and unfortunately it has been a pattern to consistently breach our digital privacy rights. We saw it when the government waited until just last year to ban Chinese telecom giant Huawei from operating in Canada while other countries did the right thing years before us.

We saw it with the $54 million “arrive scam” app tracking Canadians border travel up until September 30, and the public bank account freezing for people who donated to the truckers last year. The list goes on and on. In the words of Alanis Morissette, “Isn’t it ironic?” when we hear the government start to talk about online privacy rights. I just hope it learns to start respecting the privacy of Canadians.

Let us take a look and see if this legislation actually protects the online privacy of the people of Saskatoon West. After all, they are rightfully distrustful of government and corporations when it comes to accessing their data

Here are some examples showing why they are distrustful: Tim Hortons tracking the movement of users after they have ordered something on their app; the RCMP using Clearview AI to access a data bank of more than three billion photos pulled from websites without user consent; and we cannot forget Telus giving the federal government access to the movements of over 33 million devices over the course of the pandemic.

When governments abuse their power, it destroys the level of faith Canadians have in their institutions. In fact, if we look at polling data, we see that the number of Canadians that have faith in their government is at an all-time low. With scandals like these, it is no wonder why.

If we want to improve the level of trust held between individuals and institutions, we must look at protecting Canadians' private data. If we dive into this legislation, it seems the intent is to create a level playing field between citizens and companies when it comes to how their data is used. However, if we look into it further, the balance between businesses using business data and the protection of our privacy is off.

The bill, as it is currently written, skews toward the interests of corporations rather than the fundamental rights of individuals. There are too many exceptions granted to businesses in this legislation. Some are so broad that it is like the legislation never existed at all.

For example, business activities are exempt if a “reasonable person” would expect a business to use their data, without including the definition of what a reasonable person is. The concept of legitimate business interests has been added as an exemption to consent. How does one determine if a business interest outweighs the privacy rights of an individual? Finally, the bill does not recognize privacy as a fundamental right. This absence tips the scales away from Canadians and could affect how their privacy interests are weighed against commercial interests in the future.

Artificial intelligence comprises a major component of this legislation. AI is becoming a key tool in today's world, much like engineering was in the last century. In the past, an engineer would sit down and design a bridge, for example. Obviously, the failure of a bridge would be a huge event with the potential for major disruptions, significant costs, potential injuries and even death. Therefore, we have professional standards for engineers who build bridges, but what about artificial intelligence?

In today's modern world, AI is used more and more to perform ever more complex tasks. In its early stages, AI was used as a shortcut for repetitive tasks, but as the technology advances, it is now being used for much more. In the future, it is not unreasonable to expect AI to play a significant role in designing a bridge, for example. Artificial intelligence also needs to have standards, which is why our universities teaching AI put a big emphasis on ethics, as there are huge implications.

I know first-hand the dangers of unregulated AI systems interfering in our day-to-day lives. On the immigration committee, we have studied this issue and looked at how Canada's immigration department is using Chinook, a so-called e-tool to help IRCC bureaucrats assess applications in bulk form. This AI program was introduced in-house by these bureaucrats, which means the software's algorithms are beholden to the beliefs of its creators.

The concerning part of all of this is that there is a known culture of racism within the department, and members do not have to take my word for it. The NDP-Liberal Minister of Immigration said this of his own department at committee: The IRCC “has zero tolerance for racism, discrimination or harassment of any kind. However, we know that these problems exist throughout the public service and in our department...[and] we must first acknowledge this reality.”

There were no outside consultations done on the use or creation of this artificial intelligence application, and rejection rates have climbed since its introduction. Although I am pleased that the government is finally looking to add a framework to address concerns surrounding AI, it needs to get its own house in order first.

I will wrap up with these final thoughts.

If we are going to address concerns surrounding our digital privacy, we must listen to Canadians, and many Canadians are worried that this legislation does not protect them. I have met with Bryan Short from OpenMedia, and he said this:

Bill C-27...only plays brief lip service to privacy being a fundamental human right in its preamble; Bill C-27 fails to do the more important task of inscribing the privacy rights of people as being more important than the business interests of companies.

The bill before us is supposed to be about protecting Canadians' privacy, yet it completely avoids inscribing privacy as a fundamental right. We all know the saying “There is no point in doing something unless you do it right”, and it is quite clear that the government needs to go back to the drawing board once again on some aspects of this legislation since there is not much evidence of it consulting Canadians on how their data was actually used.

I believe the former Ontario privacy commissioner, Ann Cavoukian, said it best in 2020 during the initial Liberal attempts to bring in privacy reform to Canada when she stated:

[With] the Liberals under [the Prime Minister], it's been extremely weak. They have not addressed repeated requests from the federal privacy commissioner to strengthen existing privacy laws.... I'm tired of that. I want a party that will walk the talk. And I'm hoping that will be the Conservatives.

Canadians can count on the Conservative Party of Canada to walk the talk when it comes to strengthening our privacy laws, and Canadians can count on the Conservative Party of Canada to respect their freedom of expression online. We will scrap the online censorship legislation put in place by this tired, worn out, costly coalition. We will allow people to choose for themselves which news they want to consume, not just what the government wants them to see. Under our new leader, we will be the voice of those left behind by the NDP-Liberal government, and we will put Canadians back in the driver's seat of their own life.

Madam Speaker, I thank my colleague for his speech. He appears to have extensive knowledge of almost every issue.

The protection of personal information is a shared jurisdiction in Canada. Bill C-27 should therefore not apply in provinces that have protections as stringent as those included in the bill.

The legislation passed by the Quebec National Assembly, in February 2021 I believe, is strong legislation. Can my colleague reassure us that Quebec businesses are indeed excluded from the federal legislation?

Madam Speaker, it is a pleasure to rise to speak to Bill C-27 today. As I put forward to my friend in the form of a question, when we think of Bill C-27, I like to think that the government is on the right track in continuing to protect the privacy of Canadians in many different ways. Yesterday we had a debate on Bill C-26 on cybersecurity.

If we take a holistic look at what the government has been able to accomplish through legislation and, ultimately, in certain areas in terms of developing the industry through budgetary measures, Canada is indeed in a very good position in comparison to our peer countries around the world. I do not say that lightly, because I know that all members are very concerned about the issue of privacy. That is in good part why we have the legislation today.

The last time these changes we are proposing happened was two decades ago. Let us reflect on that time of 20 years ago. We did not have iPhones, and Facebook did not exist. Going back a little further than that to when I was first elected, when one clicked into the Internet, the first thing one heard was a buzzing sound, the dial tone and then clicking. Then one was magically connected to the world. How far we have advanced in a relatively short period of time. Last week, I was on the Internet making a purchase that would be delivered. I never had to go to the store. It involved my doing a little bit of design work on the computer before making the purchase. I was told yesterday that it was delivered to my home.

The amount of information out there is absolutely incredible, and it is very hard to imagine the types of data and the risk factors out there. That is why it is so important that, as a government, we bring forward substantive legislation that is going to protect the privacy of Canadians, to ensure companies are held accountable and, in the context of yesterday's debate, to protect them from security threats that are very strong and very viable. It was interesting yesterday listening to the debate for a number of hours.

I get the sense that a wide spectrum of support is shaping up today. The NDP is supporting the legislation. My understanding is that the Conservatives are supporting the legislation. The Bloc, in principle, is supporting the legislation. The Province of Quebec has actually made some significant gains on this whole front, so I am not surprised that the Bloc or members from Quebec within the Liberal caucus are very strong about these issues, whether they are cybersecurity issues or the privacy issues of Bill C-27 that we are debating today.

I raise this because I believe that it does not matter what side of the House one happens to sit on, as this is legislation worth supporting. As I indicated, it has been 20 years since we have seen substantial changes to the legislation. The expectation is very high that we will not only introduce the legislation but that, with the cooperation of members opposite, we will see it pass through in a timely fashion.

Being an optimist, I would like to see the bill pass before the summer, and it is possible. I realize that it would require a great deal of co-operation from opposition parties, but I do believe it is doable, especially after the comments I heard this morning.

The legislation is not meant to address every matter that Canadians are having to face in the digital world. That is not what it is designed for. As I indicated, the legislation, whether this one or Bill C-26, goes a long way in establishing a solid base for a framework that would enable the government of the day, which is held accountable by the opposition, to have the opportunity to do a lot of work in an area where we need to see a higher sense of security and protection.

One member across the way asked about engagement. There has been a great deal of engagement. I can assure the member that, whether it is from a constituency perspective, a ministerial perspective or, I would even suggest, the member would have to take some credit in terms of an opposition perspective, there has been a great deal of dialogue. This is not a new issue. This issue has been in the making for years now.

There have been some factors that are beyond the government's control in terms of the manner in which it can bring forward legislation, for example the worldwide pandemic and the requirement for substantial legislation in order to support Canadians and have their backs. There were issues of that nature, along with numerous other pieces of legislation. I would not want to give a false impression that this is not an important issue for the Government of Canada.

At the end of the day, based on comments I have heard on both Bill C-26 and Bill C-27, I believe the legislation would establish a solid footing or framework, whatever terminology we might want to use, and, at the very least, we should see it go to committee. The principles of the legislation are in fact endorsed and supported by all sides of the House, from what I can tell, and please correct me if I am wrong. No doubt we will have other legislation that might be somewhat more controversial, where there is real opposition to the legislation, and this would enable more time for debate on that type of legislation.

If we could somehow recognize the value of this legislation, given that there is so much support for its principles, we would allow it to go to committee, where members of Parliament are afforded the opportunity to get into the nuts and bolts, the details, where there is representation from different stakeholders at committee to express their thoughts and opinions on the legislation, and where members can find out directly from the minister what kind of consultation has taken place. The member does not to have to take my word for it, but I can assure him that there has been a great deal of consultation. He would be able to hear that first-hand from departmental officials, the minister and so forth.

I believe the government has done its work in bringing the legislation to the point where it is today. We have seen ministers, in their opening remarks and in their response to questions, in co-operation with opposition members. The government has demonstrated very clearly in the past that it is open to amendments that can improve upon legislation for the benefit of Canadians, and if there are ways we can improve this legislation, we will accept those types of amendments. We will support those types of amendments. I believe this is one of the areas where the Prime Minister has been very good in sending that message. It could be because of years in opposition, when the opposition never had amendments accepted by former prime minister Stephen Harper.

At the end of the day, if there are ways to do it, we can improve upon this bill. I heard yesterday on Bill C-26, and already today on Bill C-27, that members have genuine concerns. I do not question those concerns, but I do believe that it would be helpful if they can look at those concerns. If they already have ideas that they believe will improve the legislation, nothing prevents members of the opposition or government members from being able to provide those amendments or thoughts in advance to the ministry, which would potentially allow for a deeper look into it to see if, in fact, something is doable.

The NDP talked, for example, about digital rights for Canadians. There is a great deal of concern that we need to ensure and recognize them, whether they are consumer rights or privacy rights. These are things we all hold very close to our hearts. We all want to make sure the interests of Canadians are being served.

When I took a look at the specifics of the legislation, I highlighted three parts I wanted to make reference to. CPPA would strengthen privacy enforcement and oversight in a manner that is similar to that of certain provinces and some of Canada's foreign trading partners. It is important that we do not just look internally. There are jurisdictions, whether nations or provincial entities, that have already done some fine work in this area. We do not have to reinvent the wheel, and working with or looking at other forms of legislation that are there is a very positive thing. In particular, the CPPA would do so by granting the Privacy Commissioner of Canada order-making powers that can compel organizations to stop certain improper activities or uses of personal information and order organizations to preserve information relevant to an OPC investigation.

This is significant. We need to think in terms of the technology that I make reference to. I can remember a number of years back when a pizza store was becoming computerized. As someone called in and made an order, they recorded the telephone number, the name and the address, personal information such as that. I remember talking to the franchise owner, whom I happen to know quite well, explaining how the collection of data, if used appropriately, can not only complement the business, but also complement the consumer, and this was maybe 20 years ago.

We can contrast that to an iPhone and looking at some of those applications we see. The one that comes to mind is a true Canadian application and a true Canadian franchise: Tim Hortons. My wife never followed hockey, but nowadays she does because of Tim Hortons. One can win free cups of coffee by picking who is going to score goals or get assists. I am not exactly sure how it works, but Tim Hortons comes up with a program that is actually collecting data from people. It is a program that allows it to send out all kinds of notifications. It could be sales of product. It could be something like NHL standings. It really engages the consumers. An incredible amount of data is actually being collected.

Tim Hortons is not alone. One can go to virtually all the major franchises and find the same thing. It is not just the private sector. Yesterday we were talking about cybersecurity, and one can easily understand and appreciate the sensitivity of collecting information, even if one is a Tim Hortons or a Home Depot, but also many government agencies. For example, there is the amount of personal information Manitoba Health has, which is all computerized. There are also doctors' offices. The digital world, in a very real and tangible way, has changed to such a degree that many, including myself, would argue that things like Internet access have become an absolute and essential service nowadays. It is something we all require.

The incredible growth of data banks, both in the private sector and in the government, and I would throw in the non-profits and the many other groups that collect data, has been substantive in the last 15 or 20 years. That is the reason why today we have the type of legislation we have before us. Bill C-27 would ensure that we have something in place to provide consequences for offences. To give members a sense of those consequences, the new law would enable administrative monetary penalties for serious contraventions of the law, subject to a maximum penalty of 3% or $10 million of an organization's global revenue, whichever is greater, and fines of up to 5% of revenues or $25 million, whichever is greater, for the most serious offences.

I said I wanted to highlight three things, so I will move on to the second point. The personal information and data protection tribunal act would establish a new tribunal, which would be responsible for determining whether to assign administrative monetary penalties that are recommended by the Privacy Commissioner following investigations, determining the amount of penalties and hearing appeals of the Privacy Commissioner's orders and decisions. The tribunal would provide for access to justice and contribute to further development of privacy expertise by providing expeditious reviews of the Privacy Commissioner's orders.

The third point is that the AIDA would impose a duty to act responsibly by requiring organizations designing, developing, deploying or operating high-impact artificial intelligence technologies to put in place measures to proactively mitigate risks of harm and bias in the development of these technologies.

I have less than a minute left to talk, and I have not even touched on the AI file. I made reference at the very beginning to the financial investments of this government in encouraging the growth of that industry in the different regions of our country. The Government of Canada is not only bringing in the type of securities that are absolutely important for Canadians from a privacy perspective, to encourage continual growth in the area and have these protections in place, but also doing so through budgetary measures to ensure that we continue to enhance the opportunities of Canadians. If we take a look at the digital world today, it is very hard to imagine where it is going to be tomorrow, at least for myself, in witnessing the growth of the digital world over the last 20 or 30 years and how far it has gone.

This legislation is a modernization. It is legislation we can all get behind and support. I would encourage members, no matter what party they are from, to support it. Let us see it go to committee, where the committee can do its fine work and see if we can even improve—

Madam Speaker, certainly from the Conservative side and from the NDP, it seems like we are on the same page when it comes to looking at privacy, protecting privacy and stating that privacy should be a fundamental right, not only in the preamble but also in the clause statement. The clause statement is very important because that is what the bill is derived from. The definition of privacy and fundamental rights then goes throughout the rest of Bill C-27.

One example that came out this week was of our children using a game called Fortnite. There are a lot of other games children spend a lot of time on sometimes, but Fortnite was found to be in breach of error in the U.S. for exploiting our children, taking their data and selling that. Can the member please answer for me how important it is not only to protect our adult fundamental right to freedom, but also our children's fundamental right to freedom?

Madam Speaker, I want to use my speaking time in the House to note that today is the 85th day of the blockade of the Lachin corridor. This blockade has left 120,000 Armenians in Nagorno-Karabakh without access to health care, food and medication. This situation has been denounced by the European Parliament, by Amnesty International and, last week, by the International Court of Justice. I urge the federal government to do more and apply pressure to ensure that these 120,000 Armenians can have access to food and to prevent a humanitarian crisis.

I am pleased to rise in the House today to speak to Bill C-27, an act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other acts.

This bill includes many things and covers many topics. I want to begin with the part on artificial intelligence. The NDP was a bit concerned by the fact that in the wake of Bill C‑11, this whole new part on the Artificial Intelligence and Data Act was added to Bill C‑27. We think this is a separate issue that needs to be dealt with separately. It is a huge topic in and of itself. We are pleased that the bill is being split so that we can study it in two parts.

In my riding, Rosemont—La Petite-Patrie, there is a burgeoning AI hub that provides jobs for hundreds, maybe even thousands, of professionals. I have met people who were a little worried about the federal government being kind of hasty in dealing with an issue as complex as AI. They are particularly worried about the fact that the U.S. and the EU have laws and regulations already. They think we need to take the time to make sure Canada's regulations are compatible with what is being done elsewhere, with our trading partners and our competitors, just so that it will be easier to attract talent down the line and get these professionals to go work in Montreal, Toronto, Vancouver and other places in Quebec and Canada. They want to avoid the kind of incompatibility that could result in unnecessary obstacles.

With respect to the protection of personal information, I believe that, sadly, a string of scandals has made people aware of this issue, and they realize that our laws and regulations must be updated and adapted. Consider the personal information and data breaches and the problems this causes for people. I will quickly mention a few examples. The problems with Yahoo, Marriott, and Mouvement Desjardins in Quebec, as well as Facebook, all revealed the need for new measures to help victims who have had data and their personal information stolen in several countries. We need only think of the 2019 settlement in the U.S. for the Equifax data breach. It is quite significant, given that Equifax is one of the largest companies people rely on for their credit score so they can make purchases or borrow money. This is not trivial.

Here, in 2019, the Office of the Privacy Commissioner of Canada found that Equifax fell short of its obligations to Canadians and Quebeckers. He then had the company sign a compliance agreement that did not require the payment of any fines or damages for Quebec or Canadian victims. This happened just a few years ago and clearly demonstrates just how outdated Canada's legislation is.

That is why the NDP will be supporting Bill C-27 at second reading. We think it is important that the bill be sent to committee, because we see all the cracks and gaps currently in the bill. It is important that the Office of the Privacy Commissioner be strengthened to bolster enforcement measures to protect consumers and Canadians. Bill C-27 needs to be amended to improve things. There are some shortcomings in this bill. There is even some backsliding in relation to Bill C-11, its predecessor in the previous Parliament, before the last election.

Privacy concerns everyone. In a digital world where social media and online entities are taking up more and more space, we have to remember that, although it is nice to use them sometimes—and they can be of great service—we are the ones who have become the product. Our personal information is the source of huge profits, and we need to be aware of that.

Our information is used to target the advertising we see on our devices when we go to websites. That targeting is based on our personal choices, preferences and searches. Big corporations create profiles and use them to sell advertising. We are the product. These companies make money off the information we give them for free. I have met people who had an interesting suggestion. Maybe these companies should pay us because we are their source of profit. They make money off the targeted advertising they sell, and that is how they plump up their bottom line.

We need to modernize our privacy protection laws. We also need to start thinking about the implications of handing over so much information about our consumer behaviour, our travel patterns, our interests and everything we search for online. We have to prompt people to think about that.

The bill is interesting because it creates a lot of new regulations and a new tribunal. The NDP thinks that is a good thing, but the bill does not go far enough. For example, the bill sets out a private right of action for individuals, but it does not really make it possible for consumers who have fallen victim to privacy breaches to be compensated, unlike what is being done in the United States. This right comes with various rather ineffective stipulations, so although there are new provisions, like this new tribunal, the bill provides for very little recourse.

A few years ago, the NDP published a digital bill of rights for Canadians. In it, we called for new, more effective provisions on consent and the sustainability of data. We called for the government to give the commissioner order powers and to impose larger and more consequential monetary penalties. We also called for transparency with regard to algorithms and more protection against abuse.

I think that the government could draw inspiration from the NDP's digital bill of rights to amend, enhance and improve the bill before us today. Once again, I have to say that this bill takes half steps because it proposes half-measures. There are some rather interesting measures in this bill, but they do not go far enough.

For example, there is still a significant imbalance between commercial interests and individual rights. Unfortunately, the Liberals are still in the habit of putting commercial interests ahead of the rights of citizens. For example, the new preamble of Bill C‑27 tries to present privacy as an individual interest tied to fundamental rights, but still does not directly recognize that privacy is not just an essential aspect of fundamental rights, but a fundamental right in and of itself. It considers the right to privacy to be part of Canadian norms and values, rather than a fundamental right. I think this part of the preamble of the bill should be changed.

There is also some backsliding. Under Bill C‑27, individuals would have less control over the collection, use and disclosure of their personal data, even less than what was proposed in Bill C‑11, which was introduced during the last Parliament. That is really the crux of the matter. If we do not have control over the information we provide or the way it is used or shared, it will be a wild west, total chaos. That is what we are seeing now, in fact. This is a step backwards, and I think that the NDP will be proposing amendments to restore this balance.

Under the bill, information that has been de-identified is still personal information, with some exceptions. There are quite a few exceptions, including in clauses 20 and 21, subclauses 22(1) and 39(1), and the list goes on and on. Roughly a dozen clauses contain multiple exceptions, so it gets extremely complex and confusing. It seems to me that this is going to give big corporations and web giants a way out, through loopholes and back doors. They will be able to do whatever they want because of this list of exceptions.

We in the NDP will be supporting the bill at second reading, but there is still a lot of work to be done to improve the bill.

Madam Speaker, at the beginning of his speech, my colleague talked about the progress Quebec has made with Bill 25.

Bill C-27 appears to provide some protection or at least not go against Bill 25, but there is no real guarantee.

Does my colleague think that this is one of the changes that should be made to ensure that Bill 25 in Quebec is not hindered by Bill C-27 and that, instead, these laws complement one another?

Madam Speaker, I appreciated hearing the member for Hamilton Centre's speech on Bill C-27. I would like to hear more from him, in particular on subclause 18(3). This section talks about a legitimate interest for an organization to collect a person's private information without consent.

There have been concerns shared here with respect to how open-ended this legitimate interest could be. I wonder if the member would reflect and share more about his concerns, if any, with the way the bill is currently written.

Madam Speaker, that is an important question. Bill C-27 needs consistent, technologically neutral and future-proof definitions both to the consumer privacy protection act and the AIDA within Bill C-27. It should provide definitions for AI or algorithmic systems that are cohesive across both laws, and the definition for AI ought to be technologically neutral and future-proof. That is the question I just answered for the previous speaker. A potential pathway for regulation is to define algorithmic systems based on their applications, instead of focusing on the various techniques associated with machine learning and AI.

Madam Speaker, I am sure the hon. members from the other side are about to take some good notes on the recommendations we put forward. They are probably discussing among themselves how they can improve upon these serious gaps and have some public engagement on this.

We are not subject matter experts in this House when it comes to this type of technology. It is not clear whether there has been any public engagement specific to Bill C-27 as it is proposed. There was public engagement around the creation of Canada's digital charter, called the national digital and data consultations, that happened back in 2018. However, as I understand it, only about 30 or so discussions were held. That fell dearly short. The majority of digital leaders were from the private sector, and there were only a couple of universities involved. Therefore, it is unclear who the government is consulting with when it deals with this type of surveillance capitalism and the risks it presents to consumers.

Let us get right to the point. What are the gaps that exist in this legislation? How does Bill C-27 compare with the ideal privacy legislation? There are many gaps. Clearly, it does not compare to the GDPR; it also falls short of privacy legislation that is currently being proposed in la belle province of Quebec, in New Zealand and in the state of California.

For example, in California, the California Consumer Privacy Act, the California Privacy Rights Act and the Children's Online Privacy Protection Act have all presented more robust solutions to what is before us here today. In addition, there are privacy protections that come into effect under the CCPA that we should be considering.

We need to ensure that the protections that come into effect include the rights to know, to delete and to opt out of sale or sharing, as well as the right to non-discrimination. Under that legislation, consumers also have the rights to correct inaccurate personal information and to limit the use and disclosure of sensitive personal information collected about them. There is a lot out there that we should be considering when it comes to amendments.

I am going to list examples of gaps within this bill so they are on the record. The bill does not promote the development of data stewardship models. It does not require that organizations take into account the potential consequences to individuals and societies through such measures as privacy impact assessments of a breach of security or safeguards. There is no section in Bill C-27 expressly dedicated to cross-border dataflows.

There has been no privacy impact assessment done to address any additional risks, which should be identified, justified, mitigated and documented in such an assessment. There is no assessment of the broader level of privacy rights protections in foreign jurisdictions. This is a very important conversation, particularly this week in the House, that includes how Canadians' privacy rights can be enforced.

This bill does not include specific rules that are applicable to data brokers, and these are important third parties who are not service providers. There should be a fiduciary duty to individuals if data processors act as intermediaries between individuals and data collectors. This would ensure that such service providers only use personal information entrusted to them for the purpose intended by the individuals.

This bill does not provide the right to disposal with respect to search engines' indexing of personal information where it could cause harm to the individual's privacy or reputation. It does not include the language that was in PIPEDA regarding individual access where it provides an account of third parties to which personal information about an individual or an organization has been disclosed. There should be an attempt that is as specific as possible.

This bill does not include the right of individuals to express their points of view to a human who can intervene or to contest decisions. When we look at AI or how algorithms are working in society today, they are inherently flawed.

In fact, there is another study that I would reference, titled “AI Oversight, Accountability and Protecting Human Rights”, which has commentary on this. This was authored by a series of subject matter experts who gave a long list of needs for adequate public consultation and proper oversight of AIDI to effectively regulate the AI market in Canada.

The commissioner needs to be an independent agent of Parliament. We need to empower an independent tribunal to administer penalties in the event of a contravention, and we need to outline the best practices for auditing and enforcing the law. There are dozens of recommendations contained in both reports that, as New Democrats, we will be presenting to the government at the appropriate time at committee.

It is clear, from the body of the preliminary work that has been done, that this bill is inadequate as it stands. It is too big to adequately cover AI and consumer protections. It has always been our belief that those should be split up. That way we can have an investigation to ensure that consumer protections are met, that surveillance capital does not continue to profit off our most personal information and data and that, ultimately, we have safeguards with a robust and very firm platform on which these organizations, businesses, companies, and in some instances foreign countries, are held to account when they violate our rules.