Digital Charter Implementation Act, 2022

An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts

Sponsor

Status

In committee (House), as of April 24, 2023

Subscribe to a feed (what's a feed?) of speeches and votes in the House related to Bill C-27.

Summary

This is from the published bill. The Library of Parliament has also written a full legislative summary of the bill.

Part 1 enacts the Consumer Privacy Protection Act to govern the protection of personal information of individuals while taking into account the need of organizations to collect, use or disclose personal information in the course of commercial activities. In consequence, it repeals Part 1 of the Personal Information Protection and Electronic Documents Act and changes the short title of that Act to the Electronic Documents Act . It also makes consequential and related amendments to other Acts.
Part 2 enacts the Personal Information and Data Protection Tribunal Act , which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner under the Consumer Privacy Protection Act and to impose penalties for the contravention of certain provisions of that Act. It also makes a related amendment to the Administrative Tribunals Support Service of Canada Act .
Part 3 enacts the Artificial Intelligence and Data Act to regulate international and interprovincial trade and commerce in artificial intelligence systems by requiring that certain persons adopt measures to mitigate risks of harm and biased output related to high-impact artificial intelligence systems. That Act provides for public reporting and authorizes the Minister to order the production of records related to artificial intelligence systems. That Act also establishes prohibitions related to the possession or use of illegally obtained personal information for the purpose of designing, developing, using or making available for use an artificial intelligence system and to the making available for use of an artificial intelligence system if its use causes serious harm to individuals.

Elsewhere

All sorts of information on this bill is available at LEGISinfo, an excellent resource from the Library of Parliament. You can also read the full text of the bill.

Votes

April 24, 2023 Passed 2nd reading of Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts
April 24, 2023 Passed 2nd reading of Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts

Digital Charter Implementation Act, 2022Government Orders

November 28th, 2022 / 12:55 p.m.


See context

NDP

Laurel Collins NDP Victoria, BC

Madam Speaker, privacy rights are so critical. When they are violated, consumers deserve to be compensated. There have been numerous examples in the United States where consumers have been compensated in the realm of hundreds of millions of dollars. For the same breach here in Canada, consumers have not been compensated.

I am wondering if the member would support amendments that would ensure that, in Bill C-27, there is parity, and for the same breach, Canadians and Americans would be getting fair compensation.

Digital Charter Implementation Act, 2022Government Orders

November 28th, 2022 / 12:45 p.m.


See context

York Centre Ontario

Liberal

Ya'ara Saks LiberalParliamentary Secretary to the Minister of Families

Madam Speaker and hon. colleagues, I rise today to speak about the digital charter implementation act, 2022, also known as Bill C-27.

I thank the member for Châteauguay—Lacolle for sharing her time with me today.

It is an important discussion that is happening among Canadians about what our digital environment looks like. As we know, over the past few years, we have witnessed the constant evolution of our digital environment. Canadians have been successfully navigating through this changing environment, but they have also made it clear to us that they want better protection of their privacy. They want to be able to benefit from the latest emerging technologies with the confidence that they can be used safely. Canadians also believe that organizations need to be fully accountable for how they manage personal information and how they go about developing powerful technologies, such as artificial intelligence, or AI.

From the beginning of our consultations on digital and data, stakeholders have stressed the importance of maintaining flexibility to innovate responsibly and maintain access to markets at home and abroad. I am proud to say that the digital charter implementation act, 2022, which would enact the consumer privacy protection act, or CPPA, and the artificial intelligence and data act, or AIDA, would do just that.

The CPPA represents a complete transformation of Canada's private sector privacy regime, the Personal Information Protection and Electronic Documents Act, or PIPEDA, which came into force in 2001. That was 20 or so years ago. CPPA would introduce significant changes to better protect Canadians' personal information, including strong fiscal and financial consequences for those who seek to benefit from curtailing their legal obligations. This new framework would also ensure that all Canadians could enjoy the same privacy protections as individuals have in other countries.

The AIDA, for its part, is being proposed to build confidence in a key part of the data-driven economy. This part of the bill would introduce common standards for responsible design, development and deployment of AI systems. It would also provide businesses with much-needed guardrails for AI innovation and would ensure that Canadians can trust the AI systems that underpin the data economy.

PIPEDA was passed at the start of the century when other countries and some provinces were moving forward with privacy laws governing the private sector. Recognizing the potential for a patchwork of provincial privacy laws to emerge and the need to align internationally, Canada put in place PIPEDA as a national privacy standard. It drew on best practices to provide robust privacy protections for increased consumer confidence and a consistent and flexible regulatory environment for businesses that allowed for legitimate use of personal information.

The key element for alignment was the recognition of provincial private sector privacy laws as substantially similar. This meant that, where such a law is given that designation, PIPEDA did not apply to an organization's activities within that province. PIPEDA would continue, however, to apply to the federally regulated sector in that province and to any personal information collected, used or disclosed in the course of commercial activities across borders. This has provided a stable regulatory environment and flexibility for provinces, and it has supported Canada's trade interests well for many years.

Today, history is repeating itself, but the stakes are much higher. The role of the digital economy is far more central to our lives than it was 20 years ago. To harness all that the modern digital world has to offer, we clearly need to modernize our federal private sector privacy law. The provinces are moving in that direction and, again, the risk of fragmentation looms.

Quebec has amended its private sector privacy law, and B.C. and Alberta are examining their private sector privacy laws as well. Ontario too is considering introducing a new private sector privacy law. Therefore, the federal government must act now to ensure that all Canadians benefit from a substantially equivalent degree of protection and facilitate compliance for organizations that do business across the country.

Like PIPEDA, the CPPA is grounded in the federal trade and commerce powers. It builds on the best practices developed internationally and by Canadian provinces, and it foregrounds the importance of the ease of doing business across boundaries. The CPPA replicates the approach under PIPEDA, and it updates the mechanism in regulations for recognizing provincial laws as substantially similar. The regulations will set out the criteria and process for such recognition and will continue to provide the flexibility that has been important to PIPEDA's success.

CPPA, like its predecessor, would also maintain the Privacy Commissioner's ability to collaborate and co-operate with his or her provincial counterparts. This is an important tool to ensure consistency, guidance and enforcement, and one that has enabled our commissioners to lead the world in privacy collaboration and co-operation.

Canada also needs to move proactively to regulate in the AI space, given that the operation of these systems transcends national and provincial borders in the digital environment. AIDA would create a common standard that all organizations involved in international and inter-provincial trade and commerce would have to meet. AIDA would place Canada at the forefront of international regulation in the AI space and would provide clear rules across the country. This would spur innovation and build confidence in the safety of AI systems used or developed in Canada.

We live in an interconnected world. Data is constantly flowing across borders. In 2001, the European Commission recognized PIPEDA as providing adequate protection relative to EU law, allowing for the free flow of personal information between Canadian and European businesses.

In 2018, a new EU regulation came into effect that was known as the general data protection regulation. It updated many of the existing requirements and added strong financial penalties for contraventions. The EU is currently reviewing its existing adequacy decisions, including the one that applies to Canada. We expect to hear more on the outcome of this review soon.

The CPPA would make a positive contribution to maintaining Canada's adequacy with the EU privacy regime. It would enable personal data from EU businesses to continue to flow to Canada without additional protections. Beyond the EU, the changes proposed in the CPPA would represent important updates that would bring us in line with other international jurisdictions that have updated their laws. It would ensure interoperability with consistent rules, rights and consequences.

Other jurisdictions internationally are also moving ahead on their AI regulation, and strong action is needed to maintain Canada's leadership position internationally. Interoperability with international partners remains a key priority. The EU in particular has advanced a framework for regulating AI that would set standards for any AI systems being deployed in the EU market.

AIDA would propose a risk-based approach that would ensure interoperability with the EU while keeping in mind that Canadian context is unique. For example, AIDA would include flexible compliance options in order to ensure that our many small to medium-sized businesses would not be left behind. The proposed AIDA would represent an opportunity for Canada to lead internationally, would ensure market access for Canadian companies and would uphold Canadian values.

The government launched Canada's digital charter in 2019. Its 10 guiding principles offer a foundation on which to build an innovative and inclusive digital and data-driven economy. Ensuring interoperability, a level playing field, strong enforcement and real accountability are clearly reflected in the digital charter implementation act, 2022.

I can assure colleagues that our approach is pragmatic, principled and meets our trading needs. The bill would provide a consistent, coherent framework that Canadians and stakeholders could rely on. With Bill C-27 we would continue to encourage trade and investment and to grow an economy that would extend across provincial and international borders alike.

Digital Charter Implementation Act, 2022Government Orders

November 28th, 2022 / 12:40 p.m.


See context

NDP

Taylor Bachrach NDP Skeena—Bulkley Valley, BC

Madam Speaker, it is notable that Bill C-27 does not explicitly apply to political parties. Given the potential for privacy breaches and other issues to exist in the political arena, I wonder if my colleague across the way could comment on the potential for amending it to explicitly reference and include political parties in the scope of the bill.

Digital Charter Implementation Act, 2022Government Orders

November 28th, 2022 / 12:40 p.m.


See context

Bloc

Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC

Madam Speaker, I commend my colleague. I sat with her on the Standing Committee on Access to Information, Privacy and Ethics for a few months.

We had concerns about privacy. Several recommendations were made, and that is why Bill C‑11 became Bill C‑27. I acknowledge that the bill has been improved. That being said, I wonder about two things.

First, in 2022, I do not think it is right that banking institutions are taking the lead on showing us how important it is to protect privacy. Second, this bill is important, but I would like to know if we should refer it to a committee to study it properly because it is really two bills in one. The first is on artificial intelligence, and the second is on privacy protection. What does the member think?

Digital Charter Implementation Act, 2022Government Orders

November 28th, 2022 / 12:30 p.m.


See context

Liberal

Brenda Shanahan Liberal Châteauguay—Lacolle, QC

Madam Speaker, I will be sharing my time with the member for York Centre.

I am pleased to rise in the House today to speak to the digital charter implementation act, 2022, in particular the aspect on the consumer privacy protection act. If I have time, I will also discuss the artificial intelligence and data act.

I am very proud to speak to these two pieces of legislation that introduce a regime that seeks to not only support the technological transformation, but also help Canadians safely navigate this new digital world with confidence. These past few years, Canadians have witnessed these technological shifts take place. They have taken advantage of new technologies like never before. In 2021, more than 72.5% of Canadians used e-commerce services, a trend that is expected to grow to 77.6% by 2025.

According to TECHNATION, a 10% increase in digitalization can create close to a 1% drop in the unemployment rate. What is more, every 1% increase in digitalization can add $8.7 billion to Canada's GDP. In order to take advantage of those major benefits for our economy, we must ensure that consumers continue to have confidence in the digital marketplace.

Technology is clearly an intrinsic part of our lives, and Canadians have growing expectations regarding the digital economy. It is absolutely essential that the Government of Canada be able to meet those expectations.

With this bill, the government is putting forward a regime that gives Canadians the protection they deserve. First, as stated in the preamble of the digital charter implementation act, 2022, Canada recognizes the importance of protecting Canadians' privacy rights. Similarly, the 2022 consumer privacy protection act also provides important protections for Canadians.

That said, our government has listened to the input of various stakeholders, and we have made changes to improve this bill. I was on the committee in the last Parliament, and there was a lot of discussion about the previous bill, Bill C‑11. I am very pleased to be able to speak to Bill C-27, so that we can get all that work done in this Parliament.

One of the most important changes we have made is enhancing protection for minors. Some stakeholders felt that the previous legislation did not go far enough to protect children's privacy. I agree. Consequently, the bill was amended to define minors' information as sensitive by default. This means that organizations subject to the law will have to adhere to higher standards of protection for that information. The legislation also provides minors with a more direct route to delete their personal information. This will make it easier for them to manage their online reputation. I think this is a really important change, because we know that young people are very aware and very capable of using all types of digital platforms, but at the same time, we need to make sure that they are able to protect their reputation.

In addition to protections for minors, we also made changes to the concept of de-identification of personal information. According to many stakeholders, the definitions in the old bill were confusing. We recognize that having well-defined terms helps ensure compliance with the act and provides more effective protection of consumers' information. In that regard, I understand that, because we are talking about new technologies and an evolving industry, it is important for all members to share their expertise, since that will help us develop a better piece of legislation.

The difference, then, between anonymous information and de-identified information needs to be clarified because, clearly, if information is de-identified but an organization or company is able to reidentify it, that does not serve the purpose of having anonymous information.

Data-based innovation offers many benefits for Canadians. These changes contribute to appropriate safeguards to prevent unauthorized reidentification of this information, while offering greater flexibility in the use of de-identified information.

The new law also maintains the emphasis on controlling the use of their personal information by individuals. That remains a foundation of the law, namely that individuals must be able to fully understand the purpose for which information will be used and consent to that purpose in the most important circumstances.

However, the modern economy must also have flexible tools to accommodate situations that are beneficial but that may not require consent if the organization respects certain limits and takes steps to protect individuals.

The approach advocated here continues to be based on the concept of individual control, but proposes a new exception to consent to resolve these gaps as a tool for safeguarding privacy. The new provisions propose a general exception to cover situations in which organizations could use personal information without obtaining consent, provided that they can justify their legitimate interest in its use for circumstances in which the individual expects the information to be used.

In addition, to prevent abuse, the exception is subject to a requirement that the organization mitigate the risk. For example, digital mapping applications that take photos of every street and that we use to view them, particularly to help with navigation, are widely accepted as being beneficial. However, obtaining individual consent from every resident of the city is impossible.

I believe that everyone in the House will agree that it is hard to imagine how we managed before we had access to those navigation applications. Last evening, I had a visit with a family member in Ottawa and was very happy to have my mapping application to find my destination.

The presence of an exception, combined with a mitigation requirement, therefore allows individuals to take advantage of a beneficial service while safeguarding personal information. The example shows another key aspect for building trust and transparency. Digital mapping technology presents a certain level of transparency. The vehicles equipped with cameras can be seen on our streets and the results can also be seen posted and available online.

However, there are some technologies or aspects thereof that are more difficult to see and understand. That is why the bill continues granting individuals the right to ask organizations for an explanation regarding any prediction, recommendation or decision made in their regard by an automated decision-making system.

What is more, these explanations must be provided in plain language that the individual can understand. These provisions also support the proposed new artificial intelligence act. However, I do not think that I have time to get into that, so I will end there.

Digital Charter Implementation Act, 2022Government Orders

November 28th, 2022 / noon


See context

NDP

Brian Masse NDP Windsor West, ON

Madam Speaker, I am happy to start this week by speaking to Bill C-27. It is quite an extensive bill at over 140 pages in length. It would amend several acts and the most consequential are three of them in particular, as it is an act to enact the consumer privacy protection act, the personal information and data protection tribunal act and the artificial intelligence and data act and to make consequential and related amendments to other acts.

I should start by saying that this is really three pieces of legislation that have been bundled up into one. As New Democrats, we have called for different voting for the third and final part of this act.

The first two parts of the act, concerning the consumer privacy protection act and the personal information and data protection tribunal act, do have enough common themes running through them to be put together into one piece of legislation. I still think, for these issues, that they would have been better as two separate pieces of legislation because one of them is brand new and the first one, the consumer privacy protection act, is the former Bill C-11, which was highly controversial in the previous Parliament.

When we had an unnecessary election called by the Prime Minister, that bill died, along with all of the work from Parliament, which was not concluded, despite extensive lobbying and consultation going, particularly, through the ethics committee at that time. This has now been bundled with some other legislation to go through the industry committee, which is fine.

The personal information and data protection tribunal act is a new component of this legislation. I have some concerns about that element of it, but it does have a common theme, which is worthwhile, and at least it has the potential to be put together and bundled. Although, again, it is extensive, it is a bundling that we can accept.

We have called for a Speaker's ruling with regard to the artificial intelligence and data act, as this is brand new legislation as well, but it does not have the same connections as the previous two pieces, which are bundled together, in the way that one could argue for them. We want a separate vote on the second part of this because the legislation would be studied at committee together.

There will be a high degree of interest in this legislation, since Bill C-11 had that in the past. The new bill changes position from Bill C-11 significantly, and I expect that this in itself will garner a lot of chatter, as well as review and interest, from a number of organizations, many of whom we have already heard from as of now.

The other part, with the tribunal, would be another important aspect, because it is a divergence from our traditional way of enforcement and creates another bureaucratic arm. Again, I would like to see more on this, and I am open to considering the idea, but it is certainly different from our traditional private right of law for dispute settlements about data breaches and other types of corporate malfeasance, that actually have to deal with the types of laws that are necessary to bring compliance among people.

This goes to the heart of, really, where a political party resides in their expectations of companies and their use of data, information and algorithms. For New Democrats, we fall very much in line with something I have tabled before, several years ago, which is a digital bill of rights, so that one's personal rights online are consistent with that of our physical rights, where one is expected to be properly treated in a physical world and in the digital format world. That includes one's right to privacy, right to the expectation of proper behaviour conducted toward oneself and right to not be abused. It also includes significant penalties to those who do those abuses, especially when we are looking at the corporate world.

Where this legislation really becomes highly complicated is the emergence of artificial intelligence, which has taken place over the last decade and will be significantly ramped up in the years to come. That is why the European Union and others have advanced on this, as well as the United States.

Our concern is that this bill tries to split both worlds. We all know that the industries of Google and other web giants have conducted significant lobbying efforts over the last number of years. In fact, they have tripled their efforts since this administration has come into place and have had a direct line of correspondence about their lobbying, which is fine to some degree, but the expectation among people that it would be balanced does not seem to be being met.

I want to bring into the discussion the impact on people before I get into the technical aspects of the bill, as well as the data breaches that remind us of the need for protection among our citizens and other companies as well. One of the things that is often forgotten is other SMEs, and others can be compromised quite significantly from this, so protecting people individually is just as important for our economy, especially when we have the emergence of new industries. If they are behaviours that are hampered, manipulated or streamed, they can become significant issues.

I want to remind people that some of the data breaches we have had with Yahoo, Marriott, the Desjardins group and Facebook, among others, have demonstrated significant differences in the regulatory system between Canada and the United States and how they treat their victims. A good example is a settlement in the U.S. from 2009 with the Equifax data breach, where Equifax agreed to pay $700 million to settle lawsuits over the breach in agreement with the U.S. authorities, and that included $425 million in monetary relief to consumers. We have not had the same type of treatment here in Canada.

This is similar to the work I have done in the past with the auto industry and the fact that our Competition Bureau and our reimbursement systems are not up to date. We have been treated basically as a colony by many of the industries when it comes to consumer and retail accountability.

We can look at the example of Toyota and the data software issue, where the car pedal was blamed for the cars going out of control. It turned out this was not the case. It was actually a data issue. In the U.S., this resulted in hundreds of millions of dollars of investment into safety procedures. We received zero for that. Also, consumers received better treatment, where their vehicles were towed back to different dealerships to be fixed. In Canada, consumers did not receive any of that.

The same could be said with Volkswagen, another situation that took place with emissions. Not only did we not receive compensation similar to that of the United States, we actually imported a lot of the used Volkswagen vehicles from Europe. However, that was of our own accord and time frame when those vehicles were being sunsetted in those countries because of emissions.

In the case of Facebook, the U.S. Federal Trade Commission was able to impose a $5-billion fine for the company's violation, while the Privacy Commissioner's office was forced to take the company to federal court here in Canada. One of the things I would like to point out is that our Privacy Commissioner has stood up for the needs of Canadians, and one of the concerns with this bill would be the erosion of the Privacy Commissioner's capabilities in dealing with these bills and legislation.

The Privacy Commissioner has made some significant points on how to amend the bill and actually balance it, but they have not all been taken into account. One of the strong points we will be looking to is to see whether there are necessary amendments from our Privacy Commissioner on this.

One of the big distinctions between Canada and the United States, which is to our benefit and to Canada's credit, is the office of the Privacy Commissioner. Where we do not have some of the teeth necessary for dealing with these companies, we do have the independent Privacy Commissioner, who is able to investigate and follow through at least with bringing things to a formal process in the legal system. It is very laborious and difficult, but at the same time, it is independent, which is one of the strengths of the system we have.

If the government proceeds, we will see the bill go to committee, which we are agreeing to do. However, we do want to see separate voting. Before I get into more of the bill, I will explain that we want to see separate voting because we really distinguish that this is inappropriate. The artificial intelligence act is the first time we have even dealt with this topic in the House of Commons, and it should be done differently.

We will be looking for amendments for this, and big corporate data privacy breaches are becoming quite an issue. Some of these privacy breaches get highly complicated to deal with. There have been cases with cybersecurity and even extortion. The University of Calgary is one that was well noted, and there have been others.

We need some of these things brought together. The bill does include some important fixes that we have been calling for, such as stronger enforcement of privacy rights, tough new fines, transparency in corporate decisions made by algorithms.

I have pointed out a lot of the concerns that we have about the bill going forward because of its serious nature. However, we are glad this is happening, albeit with the caveat that we feel the bill should be separate legislation. The minister does deserve credit for bringing the bill forward for debate in the House of Commons.

Bill C-11 should have been passed in the last Parliament, but here we are again dealing with it. The new tribunal is the concern that we have. It could actually weaken existing content rules, and we will study and look at the new tribunal.

The tribunal itself is going to be interesting because it would be an appointment process. There is always a concern when we have a government appointment process. There is a concern that there could be complications setting up the tribunal, such as who gets to go there, what their background is, what their profession is and whether there will be enough support.

One of the things that gives me trouble is that the CRTC, for example, takes so long to make a decision. It is so laborious to go through and it has not always acted, most recently, in the best interest of Canadians when it comes to consumer protection and individual rights. It gives me concern that having another tribunal to act as a referee instead of the court system could delay things.

Some testimony has been provided already, some analysis, that suggests the tribunal might end up with lawsuits anyway, so we could potentially be back to square one after that. The time duration, funding, the ability to investigate and all these different things are very good issues to look at to find out whether we will have the proper supports for a new measure being brought in.

Another government resource for this is key. At the end of the day, if it is a tribunal system that is not supportive of protecting Canadians' privacy and rights, then we will weaken the entire legislation. That is a big concern because that would be outside Parliament. The way that some of the amendments are written, it could be coming through more regulatory means and less parliamentary oversight.

Who is going to be on the tribunal? How will it be consistent? How will it be regulated? I would point to the minister providing the CRTC with a mandate letter, which is supposed to emphasize the public policy direction it should be going. In my assessment, the CRTC, over the last number of years, has not taken the consumer protection steps that New Democrats would like to see.

When it comes to modernizing this law, we do know that this will be important to address because there are issues regarding the data ownership, which is really at the heart of some of the challenges we face. There is algorithmic abuse and also areas related to compensation, enforcement, data ownership and control, and a number of things that are necessary to ensure the protection of people.

We can look at an area where I have done a fair amount of work related to my riding, which is automobile production. There has been the production of the car and the value there, but there will also be the data collection. The use of that data collection can actually influence not only one's individual behaviour, but also that of society. That is a significant economic resource for some of these companies.

It is one of the reasons I have tabled an update to my bill on the right to repair. The right to repair is a person's ability to have their vehicle fixed at an auto shop of their choice in the aftermarket. The OEMs, the original manufacturers, have at times resisted this. There have been examples. Tesla, for example, is not even part of what is called the voluntary agreement, but we still do not have an update with regard to the use of data and how one actually goes about the process of fixing the vehicle.

It also creates issues related to ownership of the vehicle, as well as insurance and liability. These could become highly complicated issues related to the use of data and the rules around it. If these types of things are not clear with regard to the process of rights for people, expectations by those who are using the data, and protection for people, then it could create a real, significant issue, not only for individuals but for our economy.

Therefore, dealing with this issue in the bill is paramount. A lot of this has come about by looking at what the GDPR, the general data protection regulation, did in European law. Europe was one of the first jurisdictions to bring forth this type of an issue, and it has provided an adequate level of protection, which is one of the things Europe stands by with regard to protection of privacy. There have been some on the side over here in North America who have pushed back against the GDPR, and even though this landmark legislation has created a path forward, there still is a need for transparency and to understand what the monetary penalties for abuse are going to be, which are also very important in terms of what we expect in the legislation.

Erosion of content rights is one of the things we are worried about in this bill. Under Bill C-27 individuals would have significantly diminished control over the collection, use and disclosure of their personal data, even less than in Bill C-11. The new consent provisions ask the public to install an exemplary amount of trust to businesses to keep them accountable, as the bill's exceptions to content allow organizations to conduct many types of activities without any knowledge of the individuals. The flexibility under Bill C-27 allows organizations to state the scope not only of legitimate interests but also of what is reasonable, necessary and socially beneficial, thus modelling their practices in a way that maximizes the value derived from the personal information.

What we have there is that the actors are setting some of the rules. That is one of the clearer things that we need through the discussion that would take place at committee, but also from the testimony that we will hear, because if we are letting those who use and manage the data make the decision about what consent is and how it is used, then it is going to create a system that could really lead to abuse.

There is also the issue or danger of de-identification. Witnesses, artificial intelligence and people being able to scrub much of their data when they want and how they want is one of the things we are concerned about. There is not enough acknowledgement of the risk that is available in this. That includes for young people. We believe this bill is a bit lopsided towards the business sector at the moment, and we want to propose amendments that would lead to better protection of individual rights and ensure informed consent as to what people want to do with their data and how they want it to be exercised as a benefit to them and their family, versus people being accidentally or wilfully brought into exposure they have not consented to.

As I wrap up, I just want to say that we have a number of different issues with this bill. Again, we believe there should be a separate vote for the second part of this bill, being the third piece of it. It is very ambitious legislation. It is as large as the budget bill. That should say enough with regard to the type of content we have. I thank the members who have debated this bill already. It is going to be interesting to get all perspectives. I look forward to the work that comes at committee. It will be one that requires extensive consultation with Canadians.

Ryan Williams Conservative Bay of Quinte, ON

Mr. Mandic, I'll go back to you.

We have Bill C-27 before Parliament. It's updating Canada's digital privacy protection. The bill is written to update our laws in the technology and business practices of Web2.

Due to this decentralized nature of Web3 in blockchain, will Bill C-27 be adequate to protect Canadians' digital privacy rights as Web3 becomes more mainstream over the coming years?

Business of the HouseOral Questions

November 24th, 2022 / 3:15 p.m.


See context

Liberal

Mark Holland Liberal Ajax, ON

Mr. Speaker, we are not going to stop the supports we have for Canadians. In fact, I would suggest to the member opposite that making sure our most vulnerable are protected is critical. That is why we have a number of things we are going to be doing in that regard, which I will illuminate in a moment.

As to the other question that was put, I do seriously want to ask, if the Conservatives are opposed to action on the climate, whether they have reflected about what the costs are. These are not costs that will be borne for a year or two but for all time. It is something to reflect on regarding the questions that were posed to me.

I am pleased that this afternoon we are going to complete the second reading debate of Bill S-4, an act to amend the Criminal Code and the Identification of Criminals Act and to make related amendments to other acts. Tomorrow, we will go back to the second reading debate of Bill C-20, concerning the public complaints and review commission act. On Monday, we will resume second reading debate of Bill C-27, the digital charter implementation act, 2022. For Tuesday and Wednesday, we will call Bill C-29, an act to provide for the establishment of a national council for reconciliation, which was reported with amendments from committee earlier this week.

Mr. Speaker, I see you moving in your chair, so you will be happy to know that, finally, for next Thursday, our plan is to commence second reading debate of Bill C-26, the critical cyber systems protection act.

Division of Bill C-27 for the Purpose of VotingPoints of OrderPrivate Members' Business

November 23rd, 2022 / 4 p.m.


See context

Winnipeg North Manitoba

Liberal

Kevin Lamoureux LiberalParliamentary Secretary to the Leader of the Government in the House of Commons

Mr. Speaker, I am rising to respond to the point of order raised by the House leader of the NDP and the Conservative Party respecting the application of Standing Order 69.1 to Bill C-27, the digital charter implementation act, 2022.

I submit that the protection of privacy rights is a unifying theme that links all parts of Bill C-27. This bill is a key pillar in the government's implementation of a digital charter. The three parts of the bill work together to provide a comprehensive framework to build Canadians' confidence in how their personal information is being used, including with regard to the unique risks posed by artificial intelligence systems, and they need to be considered together given their complementary relationship.

Part 1 of the bill, the consumer privacy protection act, aims to modernize the privacy law that applies to commercial activities to assure Canadians that their personal information is being protected in the digital economy. Artificial intelligence represents one of the most significant sources of innovation and is a key emerging risk in the use of personal information.

We heard, in consultations around the former privacy reform bill, that Canadians are concerned about the use of their personal information by artificial intelligence systems and the potential for bias or harm that may result from the irresponsible use of these systems. Part 1 of Bill C-27 addresses Canadians' rights regarding the use of their personal information in the automated decision system, but there are limits to how privacy law can address concerns about the use of AI systems.

The government developed part 3 of the bill, the artificial intelligence and data act, to protect against the systemic impacts of artificial intelligence systems. It would regulate artificial intelligence systems that process personal information and other data about human activities to ensure that risks, such as bias based on race or gender, are addressed from the design stage all the way to deployment.

If Parliament considers part 1 and part 2 of the bill without taking into account the full impacts of artificial intelligence systems on Canadians, it will have an incomplete picture of the use of personal information in the digital economy and the steps needed to build the trust of Canadians.

This is the first time that the government is seeking to regulate artificial intelligence to govern the use of Canadians' personal information. I have no doubt that members will want to study this part of the bill in depth, and I welcome that. I wanted to give the House the government's perspective on why we think the three parts of the bill are interrelated to the protection of Canadians' personal information. I contend that all parts of the bill are interconnected and should be voted on as one item.

Division of Bill C-27 for the Purpose of VotingPoints of OrderGovernment Orders

November 22nd, 2022 / 3:40 p.m.


See context

Conservative

Andrew Scheer Conservative Regina—Qu'Appelle, SK

Mr. Speaker, I am rising to add to this morning's point of order raised by the NDP House leader concerning the application of Standing Order 69.1 to Bill C-27.

In general, we have reviewed the hon. member's submissions and concur with them. That said, there are a couple of additional citations I want to put before the Chair for your consideration. I will not repeat the arguments, because you already have them before you, Mr. Speaker, but we do agree that the measures proposed in part 3 of Bill C-27 are significantly different from and unrelated to parts 1 and 2 such that they warrant a separate vote at second reading.

As my NDP counterpart articulated, the purpose of parts 1 and 2 of the bill concern privacy protections, the powers of the Privacy Commissioner and the establishment of a new government tribunal. Part 3, meanwhile, would create a whole new law respecting artificial intelligence. The mechanisms under the minister and department's powers are completely unrelated to those in parts 1 and 2. That last point is significant in view of another aspect of the March 1, 2018, ruling of Mr. Speaker Regan, which my colleague cited. Allow me to quote your predecessor, Mr. Speaker. Mr. Regan said:

As each of the first two parts of the bill does indeed enact a new act, I can see why the hon. member for Berthier—Maskinongé would like to see each one voted separately. However, my reading of the bill is that the regimes set out in part 1, the impact assessment act, and part 2, the Canadian energy regulator act, are linked in significant ways, reflected in the number of cross-references. For example, the impact assessment act provides for a process for assessing the impact of certain projects, but contains specific provisions for projects with activities regulated under the Canadian energy regulator act. There are also obligations in the Canadian energy regulator act that are subject to provisions in the impact assessment act. Given the multiple references in each of these parts to the entities and processes established by the other part, I believe it is in keeping with the standing order that these two parts be voted together.

Deputy Speaker Bruce Stanton also encountered a similar situation in his June 18, 2018, ruling at page 21,196 of the Debates. Unlike the case that I quoted just now respecting the pipeline-killing former Bill C-69, Bill C-27 does not feature any significant or intertwining cross-references. In other words, Speaker Regan found that the two parts should be voted on together because of all the intertwining and cross-referencing in so many parts, and one part mentioning and referencing items in the first part.

This is not the situation we have today with part 3 of Bill C-27. In fact, part 3 of Bill C-27 does not explicitly cross-reference the personal information and data protection tribunal act, which part 2 would enact. Furthermore, there appears to be only one single, tiny, solitary cross-reference to the consumer privacy protection act, which part 1 would enact, and that is solely for the purpose of proposing a definition of personal information, which would be common to both of those laws. That is certainly not enough to warrant any kind of grouping when it comes to votes.

Part 3 is completely separate. It is its own independent section. There is not anywhere near the level of cross-referencing and intertwining that previous Speakers have ruled are justification for deciding not to have a separate vote. Therefore, it is clear in this situation that Bill C-27, should you, Mr. Speaker, agree with the arguments, should be dealt with in such a manner that there can be a separate vote on part 3.

Standing Order 69.1 is a relatively recent innovation. It has only been in the last number of years that Speakers have been given the authority by the House to separate aspects of bills for separate votes. I will read it:

(1) In the case where a government bill seeks to repeal, amend or enact more than one act, and where there is not a common element connecting the various provisions or where unrelated matters are linked, the Speaker shall have the power to divide the questions, for the purposes of voting, on the motion for second reading and reference to a committee and the motion for third reading and passage of the bill. The Speaker shall have the power to combine clauses of the bill thematically and to put the aforementioned questions on each of these groups of clauses separately, provided that there will be a single debate at each stage.

If we think about the context in which this standing order developed and was ultimately passed by the House, it was to allow members more flexibility and latitude to make their votes count on various aspects of the bill. It is important to think about why the House decided to adopt this measure. There had been, over the course of several Parliaments and across different governments at various times, more and more subject material being included in bills, and this was done at the time to give members the option of voting in favour of some aspects of a bill and oppose others and to clarify for their constituents and Canadians which parts of a bill they supported and which parts of a bill they opposed.

The reason I am talking about this context is I do not believe that at the time, the rationale and impetus for the inclusion of this measure in the Standing Orders was meant to be terribly restrictive. The whole point of the standing order was for it to be more permissive to allow greater latitude and flexibility. This is a relatively new innovation that has only been used a small number of times, and in parliamentary terms certainly a very small number of times, and I believe it would not be in keeping with the spirit and intent that was guiding members when we adopted it to start off, early on in its new use, with being very restrictive, because things around here tend to go in one direction and powers or flexibilities accorded the Chair over time often get more and more rigid as rules and precedents develop around them.

If the Speaker were to adopt a very restrictive interpretation of this standing order, I believe it would take away the point of this innovation, as it was proposed. I do not believe it would take a permissive interpretation of the standing order to agree with my hon. colleague from the NDP and the points that I raise here today. It is very clear that these parts are separate. Part 3 of Bill C-27 is completely independent, stands on its own and is not related, intertwined or cross-referenced in earlier parts of the act.

I only mention the point about restrictive interpretation as one further point to urge the Speaker to consider what the spirit, intent and purpose of this innovation was meant to do, which was to allow members to clearly differentiate which parts of legislation they support and which parts they do not. I would urge you, Mr. Speaker, to keep that in mind as you study the arguments that were put before you. I hope you will find in our favour and allow members to vote separately on part 3.

Division of Bill C-27 for the Purpose of VotingPoints of OrderRoutine Proceedings

November 22nd, 2022 / 10:15 a.m.


See context

NDP

Peter Julian NDP New Westminster—Burnaby, BC

Mr. Speaker, I rise today on a point of order regarding government Bill C-27, an act to enact the consumer privacy protection act, the personal information and data protection tribunal act and the artificial intelligence and data act and to make consequential and related amendments to other acts.

Standing Order 69.1 states the following:

(1) In the case where a government bill seeks to repeal, amend or enact more than one act, and where there is not a common element connecting the various provisions or where unrelated matters are linked, the Speaker shall have the power to divide the questions, for the purposes of voting, on the motion for second reading and reference to a committee and the motion for third reading and passage of the bill. The Speaker shall have the power to combine clauses of the bill thematically and to put the aforementioned questions on each of these groups of clauses separately, provided that there will be a single debate at each stage.

You will find that, in the case of Bill C-27, the bill enacts three new laws and amends several other existing laws.

Bill C-27 enacts the consumer privacy protection act and the personal information and data protection tribunal act.

These two acts were at the core of the former Bill C-11 in the 43rd Parliament, a bill that was introduced in November 2020 and died on the Order Paper a year later, without ever having been voted on at second reading.

Here is the purpose of part 1 of Bill C-27, as described in the text of the bill:

The purpose of this Act is to establish — in an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information — rules to govern the protection of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

Part 2 of the bill sets up the personal information and data protection tribunal, which would have jurisdiction with respect to appeals made under different sections of the consumer privacy protection act. The link between part 1 and part 2 of Bill C-27 is clear, and I am not putting it into question in this appeal at all.

Where we have an issue, however, is with the third part of the bill.

Bill C‑27 also enacts the artificial intelligence and data act, which was not part of Bill C‑11, the previous version of this bill.

The purpose of part 3 of Bill C‑27, which enacts the artificial intelligence and data act, is as follows:

The purposes of this Act are:

(a) to regulate international and interprovincial trade and commerce in artificial intelligence systems by establishing common requirements, applicable across Canada, for the design, development and use of those systems; and

(b) to prohibit certain conduct in relation to artificial intelligence systems that may result in serious harm to individuals or harm to their interests.

During his second reading speech on Bill C‑27, the Minister of Innovation, Science and Industry said that the new artificial intelligence act would “set a foundation for regulating the design, development, deployment and operations of AI systems”.

The development of artificial intelligence systems in the past decade has led to profound changes in the way we do things. Regulating AI systems is something we believe must be done. However, it seems odd to add these regulations to a bill that has to do with privacy protection and with the analysis, circulation and exchange of personal information. Artificial intelligence is its own beast in a way, and it should be studied and treated separately.

In a ruling by Speaker Regan on March 1, 2018, he said the following.

The principle or principles contained in a bill must not be confused with the field it concerns. To frame the concept of principle in that way would prevent the division of most bills, because they each apply to a specific field.

The House leader of the Bloc Québécois and member for La Prairie will remember this, since it is from page 400 of Parliamentary Procedure in Québec.

The Speaker continued as follows:

While their procedure for dividing bills is quite different from ours, the idea of distinguishing the principles of a bill from its field has stayed with me. While each bill is different and so too each case, I believe that Standing Order 69.1 can indeed be applied to a bill where all of the initiatives relate to a specific policy area, if those initiatives are sufficiently distinct to warrant a separate decision of the House.

We find ourselves in a similar situation here. While some of the measures in Bill C-27 relate to digital technology, part 1 and part 2 have nothing in common with part 3.

Therefore, it would certainly be appropriate to divide this bill for the vote. The Speaker has that authority, and that would make it possible for members to thoroughly study this legislative measure and better represent their constituents by voting separately on these bills, which are quite different from one another.

Business of the HouseOral Questions

November 17th, 2022 / 3:15 p.m.


See context

Liberal

Mark Holland Liberal Ajax, ON

Mr. Speaker, I thank my hon. Bloc Québécois colleague, who is a very reasonable person. He is right, but when someone asks me a question, it is my job to answer. Every time I am asked the Thursday question, I try to answer as clearly and directly as possible.

Moving back to the calendar, as I know the hon. House leader for the opposition is keenly awaiting this information, this afternoon and tomorrow we will continue with the debate on Bill C-32, concerning the fall economic statement. Of course, we look forward to that hon. colleague's support for this.

Next week, we will be focusing on the second reading debate of Bill C-20, the public complaints and review commission act; Bill S-4, COVID-19 measures; and Bill C-27, the digital charter implementation act, 2022.

Digital Charter Implementation Act, 2022Government Orders

November 4th, 2022 / 1:30 p.m.


See context

Bloc

René Villemure Bloc Trois-Rivières, QC

Madam Speaker, I thank the hon. member for his question.

I was speaking on Bill C-27 this morning. I am not an expert on the notwithstanding clause. Unfortunately, I will not be able to answer his question because I do not have the legal background to do so.

Digital Charter Implementation Act, 2022Government Orders

November 4th, 2022 / 1:20 p.m.


See context

Conservative

Ryan Williams Conservative Bay of Quinte, ON

Madam Speaker, I have spent a lot of time on the ethics committee with the member for Trois-Rivières, and we have dealt with a lot of this material. It has been fantastic.

He spoke about Quebec being a model for Canada, as Quebec has some of the strongest privacy laws in place at the moment. I am wondering if he could expand on two things. One, what does Quebec have that we could implement through Bill C-27 that works really well? Two, does Quebec mention privacy as a fundamental human right for Canadians?