Bill C-27

Madam Speaker, the member indicated that it is not in the preamble. Could it be in the preamble? Maybe it should be. I am not sure.

What I did learn very quickly from my days on municipal council is that the preamble really does not matter; it is the resolve clauses in the motion, or in this case the bill, that really matter. Do I believe that privacy is of the utmost importance? Absolutely. It is talked about throughout this bill. Should that be in the preamble? I am sure that is another matter that could be discussed at committee to determine if it is appropriate.

Madam Speaker, for the average citizen in the digital age, we have entered uncertain times. To almost everyone, at face value, the convenience of our time is remarkable. Access to any piece of information is available at our fingertips. Any item imaginable can seamlessly be ordered and delivered to our doors. Many government services can be processed online instead of in person. Canadians have taken these conveniences for granted for many years now.

The pandemic accelerated our ascent, or descent, depending on who you ask, into the digital age. The inability to leave our homes and the necessity to maintain some rhythm of everyday life played a significant part in that, but around the world, we saw governments taking advantage of the plight of their citizens. Public health was used as a catalyst for implementing methods of tracking and control, and social media platforms, which have been putting a friendly face on exploiting our likes, dislikes and movements for years, continue to develop and implement that technology with little input or say from their millions of users.

Canadians no longer can be sure that their personal information will not be outed, or doxed, to the public if doing so would achieve some certain political objective. We saw that unfold earlier this year with the users of the GiveSendGo platform.

The long-term ramifications of our relationship with the digital economy is something Canadians are beginning to understand. They are now alert to the fact that organizations, companies and government departments operating in Canada today do not face notable consequences for breaking our privacy laws. As lawmakers, it is our responsibility to ensure that Canadians’ privacy is protected and that this protection continues to evolve as threats to our information and anonymity as consumers unrelentingly expands both within and beyond our borders.

That brings me to the bill we are discussing today, Bill C-27. It is another attempt to introduce a digital charter after the previous iteration of the bill, Bill C-11, died on the Order Paper in the last Parliament. My colleagues and I believe that striking the right balance is at the core of the debate on this bill. On the one hand, it seeks to update privacy laws and regulations that have not been modernized since the year 2000 and implemented in 2005. It would be hard to describe the scale of expansion in the digital world over the last 22-year period in a mere 20-minute speech. It is therefore appropriate that a bill in any form, particularly one as long-awaited as Bill C-27, is considered by Parliament to fill the privacy gaps we see in Canada’s modern-day digital economy.

Parliament must also balance the need for modernization of privacy protection with the imperative that our small and medium-sized businesses remain competitive. Many of these businesses sustain themselves through the hard work of two or three employees, or perhaps even just a sole proprietor. We must be sensitive to their concerns, as Canada improves its image as a friendly destination for technology, data and innovation. This is especially true as our economic growth continues to recover from the damaging impact of pandemic lockdowns, crippling taxes that continue to rise and ever-increasing red tape.

That extra layer of red tape may very well be the catalyst for many small businesses to close their operations. No one in the House would like to see a further consolidation of Canadians’ purchasing power in big players such as Amazon and Walmart, which have the infrastructure already in place for these new privacy requirements.

In a digital age, Canadians expect businesses to operate online and invest a certain amount of trust in the receiving end of a transaction to protect their personal information. They expect that it will be used only in ways that are necessary for a transaction to be completed, and nothing more.

In exchange for convenience and expediency, consumers have been willing to compromise their anonymity to a degree, but they expect their government and businesses to match this free flow of information with appropriate safeguards. This is why Bill C-27, and every other bill similar to it, must be carefully scrutinized.

As many of my colleagues have already indicated, this is a large and complex bill, and we believe that its individual components are too important for them to be considered as one part of an omnibus bill.

There are three—

I am sorry, but I am going to cut in to interrupt the hon. member. She will have 15 minutes and 45 seconds to complete her speech when we return to this. We will now go to Statements by Members.

Mr. Speaker, as many of my colleagues already indicated, this is a large and complex bill, and we believe that its individual components are too important for them to be considered as one part of an omnibus bill. I am pleased with the ruling of the Speaker.

There are three separate pieces of legislation to this bill. In part 1, the consumer privacy protection act would repeal and replace decades-old measures concerning personal information protection. In part 2, the personal information and data protection tribunal act would strike a tribunal to administer penalties for violations of the CPPA. In part 3, the artificial intelligence and data act is brand new to the bill and sets up a framework for design and use of AI in Canada, which is almost entirely unregulated.

Long before the widespread use of the Internet, our Supreme Court was clear that privacy is at the heart of liberty in a modern state. The government should be taking every opportunity possible to enshrine privacy in our laws as essential to the exercise of our rights and freedoms in Canada. As Daniel Therrien stated in the Toronto Star earlier this month, “democracies must adopt robust solutions anchored in values, not laws that pretend to protect citizens but preserve the conditions that created the digital Wild West.”

The value of privacy should anchor the bill. Instead, the bill fails right out of the gate. The preamble states:

the protection of the privacy interests of individuals with respect to their personal information is essential to individual autonomy and dignity and to the full enjoyment of fundamental rights and freedoms in Canada

Placing this value in the preamble of the bill where it has no teeth raises distrust rather than confidence that the government truly respects Canadians' privacy rights. The CPPA would require organizations, companies or government departments affected by the bill to develop their own codes of practice for the protection of personal information. While these codes must be approved and certified by the Privacy Commissioner, one can only imagine the variation of protection that would result. This requirement would add significant red tape and would be yet another onerous task borne on the backs of small and medium-sized businesses, which employ most Canadians. It would also create more work for the Privacy Commissioner in parsing through complicated codes created by larger, wealthier, powerful corporations, companies or government departments that have legal teams whose sole purpose is to find creative ways to perhaps game the system.

Although it would take more time and investment up front, the better option, in my mind, would be to create a standard code of practice that all entities have to follow. This could certainly be taken on as one of the first responsibilities of the expanded Office of the Privacy Commissioner in defining the universal code of practices, where confidence in the process would be greatest and where the greatest level of concern for individual privacy actually exists.

This bill states that personal information can be transferred without Canadians' consent for purposes ranging from research to analysis to business purposes, but it must be de-identified before this can take place. At first glance, this is a positive measure until it is compared with anonymization as an alternative. According to the bill, de-identify means “to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.” That leaves much to be desired when compared to the anonymization of personal information. In the bill, anonymize means “to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.”

Any attempt to identify individuals from de-identified information is prohibited, except in approved circumstances. While many of these approved circumstances relate to the ability of an entity to test the effectiveness of its de-identification system, the potential for abuse still exists. This bill would be improved by eliminating those chances for abuse. We should examine replacing de-identification with anonymization wherever possible.

In comparing Bill C-27 to the EU regulations, we see there are several ways in which the CPPA does not live up to what is widely considered to be the international gold standard of privacy protection, which is the European Union's 2016 General Data Protection Regulation, or GDPR. There is a glaring example of Bill C-27's inferior protections: The GDPR processes personal data in such a manner that it can no longer be attributed to a specific individual without the use of additional information kept separately, subject to technical and organizational measures. This is a security and privacy-by-design measure of the GDPR.

Regarding what Bill C-27 considers to be sensitive information, there is nothing to indicate what sensitive information actually entails. It is also limited in its application. Only the personal information of minors is considered to be sensitive. All information Canadians surrender to any entity should be considered sensitive. On the other hand, the GDPR possesses a particular regime for special categories of personal data, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data and data concerning health, sex life and sexual orientation.

We are happy to see that consent is better defined in Bill C-27. However, exceptions for activities not requiring consent would remain in place. Some of them are so broad that an entity could interpret them as never requiring consent. These are loopholes that Canadians should not have to endure when they are required to check the box that they have read and accept terms before they are able to interact with a digital site.

For example, legitimate interests in a given situation may be used by companies to disregard consent. There is a danger that these interests will outweigh potential adverse effects on the individual. Attempting to define legitimate interests allows for too much interpretation, and interpretation is not something that lends itself to privacy laws. The use of personal information could also be exempt from consent if a reasonable person would expect the use of their information for business activities. There is no definition as to what a reasonable person is.

The bottom line is that there are far too many loopholes and vague terms. For the savvy, wealthy or well-lawyered, the potential for abuse exists. The GDPR, conversely, is unequivocal on consent. It must be freely given, specific, informed, unambiguous and in an intelligible and accessible form, and is only valid for specific purposes. Canada should have followed that example. Canadians cannot help but wonder why Bill C-27 does not.

Under the proposed CPPA, there is no minimum age for minor consent, nor is “minor” defined. In the EU, the GDPR sets out a minimum age for a minor's consent at 16 years of age. Member states also have the flexibility to allow for a lower age, provided the age is not below 13 years.

If a breach of personal information does take place, Bill C-27 would make Canada slower to respond than its international counterparts. This bill mandates that a notification be made to the Privacy Commissioner of any breach that creates a real risk of significant harm as soon as it is feasible. The individual affected would also need to be informed, but, again, as soon as feasible.

The GDPR sets out that a mandatory notification must be made to the supervisory authority without undue delay, or 72 hours after having become aware of the incident in certain circumstances. Prior to the introduction of this bill, Canada was lagging behind internationally, and it still is, even after. The GDPR is already six years old. That is six years of extra time during which the Liberals have failed to develop this legislation to meet the robust international standard.

In Bill C-27, the Privacy Commissioner would be empowered to investigate any certified organization for contravening the act. The commissioner has been rightly asking for increased powers and responsibilities for some time, and this goes beyond a mere recommendation to violators to stop their actions. The commissioner would be able to recommend greater penalties of no more than $20 million or 4% gross global revenue for a summary offence, and no more than $25 million or 5% gross global revenue for an indictable offence.

These penalties should add more bite to what the Privacy Commissioner can do and impact how Canadians’ personal information will ultimately be treated. The penalties would also apply to a greater number of provisions, such as actions that contravene the establishment and implementation of a privacy management program and failure to ensure equivalent protection for personal information transferred to a service provider.

However, these new powers for the Privacy Commissioner hit a dead end when taken in context with the second part of this bill, which establishes a tribunal. The personal information and data protection tribunal would consist of no more than six members, and only half of those members must have experience in information and privacy law. The Privacy Commissioner would have order-making authority and the ability to make recommendations to this tribunal regarding penalties. However, the tribunal would have the power to apply its own decision instead, which would be final and binding. Except for judicial review under the Federal Courts Act, the tribunal's decisions would not be subject to appeal or to review by any court. These are powers equivalent to a superior court of record.

The existence of this tribunal would dull the new teeth given to the Privacy Commissioner. While the commissioner could recommend that a penalty be levied for violations of the CPPA, it is the tribunal that would have the power to set the amount owed by these organizations.

The cost associated with striking this tribunal is also a concern. Despite the fact that its work would likely be limited to a handful of times per year to determine penalties, it would apparently require a full-time and permanent staff of 20. I am deeply concerned as the government also has a bad habit of striking advisory councils, or so-called arm's-length regulatory bodies, in advance of bills being debated and passed in the House, long before the ink on the legislation is dry.

My memory is drawn to when a bill was being debated in the House, and I inquired about the details of the proposed environmental council. I was told with great zeal that it had already been established, and the members had been appointed before the bill was even debated in the House.

Can the current Prime Minister tell us if this tribunal would be struck only after Parliament has dealt fully with this bill? Will the Liberals be transparent with Canadians on how the appointment process would be undertaken? Can they assure Canadians that a full-time and permanent staff of 20 has not already been determined? After seven years of Liberal power, the level of patronage in this place run deep.

Part 2, which is the personal information and data protection tribunal act, should be removed as it is a bureaucratic middleman with power that would conflict and create redundancy with the Privacy Commissioner's new powers. The new powers would mean little if they were not coupled with quick and effective consequences for violators. It would prolong decisions on fines and harm Canada's reputation of holding violators accountable.

It would also not align with our friends in the EU, U.K., New Zealand and Australia that do not use a tribunal system for issuing fines. It goes to show Canadians that when it comes to making big government needlessly bigger, the Liberals do it well.

The third and final part of this bill is the only entirely new component. The artificial intelligence and data act seeks to regulate an entity, artificial intelligence, that has not been regulated before in this country.

It would set standards for the creation and use of AI systems in Canada by both domestic and international entities. More specifically, international and interprovincial trade and commerce in artificial intelligence systems would be regulated through common requirements for the design and use of those systems.

It would prohibit certain conduct pertaining to AI systems that could lead to harmful results for individuals and their personal data. There is that mention of personal data. This is a massive undertaking, attempting to regulate something that, up to this point, has been almost entirely unregulated.

I also understand that consultations on this were only initiated in June. Logic would dictate that such a bill requires careful scrutiny and time to get it right.

Requiring record keeping and human oversight are positive developments. What we find difficulty with is getting a clear picture of what the final framework would look like, as the minister alone would be empowered to establish these regulations. The minister would be able to act independently of Parliament in making rulings and imposing fines. In an age of uncertainty and new horizons for our relationship with AI, this is unacceptable. Parliament, at the very least, and independent experts and watchdogs should be central to the creation and enforcement of these rules.

It appears that once again the government has chosen to simply tack on a crucial area of concern to Canadians to an already complicated bill, and it wishes to again entrust sweeping powers to a minister to act independently of parliamentary oversight.

My final thoughts today on Bill C-27 are as follows. The Conservatives are considering this bill through a reasoned approach, and appreciate that stakeholders who have been calling for this legislation for years are watching today's debate closely.

It is absolutely clear that modern-day protection for the personal information of Canadians is required. They must have the ability to access and control its collection, use, monitoring and disclosure, and the right to delete it or the right to vanish.

How can we ensure that data is protected through watertight regulations and strict fines for abuse while also realizing that not every business affected by this bill would have the resources of Walmart or Amazon? Small and medium-sized businesses should be shielded from onerous regulation that stifles their growth. This is not to say that business interests should weigh equally with personal privacy, but there is a balance to be had, and I believe the Liberals do not have it right here.

Furthermore, in a cynical attempt to move their legislative agenda forward, the Liberals have bundled changes to privacy laws with a first-of-its-kind framework for artificial intelligence that once again intends to govern through top-down regulation and not through legislation.

The Liberals should commit today to splitting this bill up to allow Canadians a clear view of its intended impact. With that commitment, the Conservatives will be looking to do the hard work at committee to improve the long-awaited but flawed elements of this legislation. Even in an age of convenience, the world in which we live grows even more complicated by the day. Canadians deserve privacy protection worthy of 2022 realities and beyond.

Madam Speaker, this is very progressive legislation that deals with an area of concern that Canadians have, and it is something the government is concerned about. That is why we have the legislation. It is for safety and privacy, which are of critical importance.

We are moving into a significant digital economy with databases. The issue is there, and I am interested in knowing where the Conservatives are going to fall on this legislation. When I listened to the member, she seemed to express concerns about this area, but there was no indication of whether the Conservative Party would be supporting the legislation. We just heard from the Speaker in terms of voting on the three parts.

Does the member have any suggested amendments that she is thinking about? I believe that Canadians need this legislation. Would it not be nice to have legislation of this nature pass second reading before the end of the year?

Madam Speaker, I do not know if, throughout my speech, members heard my concerns around the fact that this falls short of what our international colleagues have created. It is so much stronger in the European Union's 2016 general data protection regulation, or GDPR.

Obviously, we have indicated on this side of the House that we have a lot of concerns, especially with the lack of definition of so many terms that are included in this legislation. They need to be clarified. Otherwise, it is going to create all kinds of additional problems. What we need more than anything is clarity so that Canadians can have confidence that their privacy is being protected.

Madam Speaker, I was fascinated by the part of the bill dealing with artificial intelligence. Personally, I thought that it proposed a general framework and the beginnings of a legal structure that were very interesting. The objective is to regulate pan-Canadian, interprovincial and other trade, as well as to prohibit certain practices.

Does my colleague agree with me on that, at least? It is an important step forward in a sector like artificial intelligence, which is so murky and so amazing at the same time.

Madam Speaker, I agree that this is an area in which Canada is way behind. It is absolutely crucial that we get started on creating that framework. However, what disturbs me is the fact that it was tossed into this bill that also deals with other issues, which are significant on their own. Consultation on this did not even begin until June. It is very rash of us to consider it in this legislation. I am thankful that it is going to be voted on separately.

Madam Speaker, this follows on the question that was just asked by my colleague. We recently saw that 19,000 Canadians were affected by the recent Equifax breach, for example. The Office of the Privacy Commissioner concluded that Equifax did not fulfill its obligations to Canadians. It entered into a compliance agreement with no fines, no penalties and no compensation for Canadian victims. We are seeing very different fines and penalties for Canadians and Americans, and Canadians are getting the short end of the deal.

Does the member feel it is important that we have parity and equivalency for citizens on both sides of the border?

Madam Speaker, there are many areas where Canada is on the short end of the stick. I think of our ability to have Wi-Fi and cellphones at a reasonable price compared with other countries. In this case, it is really important that we do the due diligence needed. Canadians need to have the same level of ability to have their privacy protected that any other nation has. I would encourage members to look at the EU version of this and do a far better job of incorporating in this what is needed to function internationally with our allies.

Madam Speaker, I too share concerns with Bill C-27, particularly around the artificial intelligence and data act. Specifically, I agree with her. Having one minister solely delegated the responsibility for a wide variety of different regulations that might affect private as well as public data is too much. As Parliament, we should be looking into this and setting out the parameters.

The government has basically told the private sector that it can hold it accountable for serious harm, something it does not even define in the law, in Bill C-27, while at the same time giving itself the ultimate loophole. It says it can exempt itself. Not only that, but some of the organizations are trustworthy, as it says in the bill. The minister can say that any provincial or federal commission or body he or she wants can be exempted, allowed to use artificial intelligence and held to a different standard than the private sector is.

Does the member agree that this particular section, more than anything, needs to be looked at? I believe it is too much government overreach. It has essentially given itself the ultimate loophole.

Madam Speaker, that is my deepest concern as well. We have seen the government, in other pieces of legislation, give itself the authority to create a situation that is out of the hands of Parliament and into the hands of a minister as to how things will be developed or implemented.

I certainly agree with the member. We need to do a lot more work and make sure that Canadians are truly protected, and not by just one individual at a certain point in time who has a great deal of power. In some cases in that situation, I would say too much power. We need to ensure that it is done properly with Canadians in mind.

Madam Speaker, I fully understand the stress the Canadian financial sector is feeling.

Unless we tighten the rules, Canada will not meet the European Union's expectations, which means Canada's financial sector could lose all or part of very important European markets. There is less pressure in Quebec because, thanks to its own legislation, it is already compliant.

Despite the pressure, the bill must be properly drafted. Is my colleague concerned that pressure from the financial sector could lead to a situation in committee where words and time are more limited?