Procedure and House Affairs Committee on Oct. 17th, 2018

Okay.

(Subamendment negatived)

(Amendment negatived [See Minutes of Proceedings])

(Clause 253 agreed to on division)

(On clause 254)

We have amendment PV-10.

Thank you, Chair, and thanks to committee members.

This amendment will be something with which you're all familiar. We've had a lot of focus in the national media, in this committee, and in the evidence. Particularly, I remind you of the evidence of our former chief electoral officer, Marc Mayrand. An approach that he favoured in his testimony was to adhere to the Personal Information Protection and Electronic Documents Act. This is what my amendment will do.

There was discussion before the committee about that suggestion. It was also supported by Professor Michael Pal from the University of Ottawa, and tellingly, in the media, Teresa Scassa, the Canada research chair in information law and policy at the University of Ottawa described Bill C-76 as it is now, as "an almost contemptuous and entirely cosmetic quick fix designed to deflect attention from the very serious privacy issues raised by the use of personal information by political parties.”

It's very timely. It's the right thing to do. There's no reason political parties can't adhere to the same laws that the private sector adheres to.

I would really hope that you'll give serious consideration to actually voting for this amendment to enshrine privacy protection for Canadians and not exempt political parties any longer.

Thanks.

Mr. Cullen.

This is meant to be based on evidence that we heard, and I'm trying to reflect on a single witness who spoke against this idea of the parties moving into the modern era and falling under some sort of privacy rules.

As we heard, Chair, from the current Chief Electoral Officer, there are none that parties are subjected to—zero. It should be of concern not just from the Canadian voter's point of view that we collect a lot of information about Canadians—not just voting intentions but all sorts of information—from the electoral lists. Parties are in the business of accumulating and cross-tabulating data on citizens to understand their voting motivations and their intentions. That's the primary objective of most political parties in their very existence right now, along with raising money and all sorts of other things.

The current examples in front of us from the U.S. and the U.K. should be important. We don't want to fall into a similar scenario in which an important election or referendum is affected because one or all of the parties' data systems were hacked. We also heard from security experts that our parties' data systems are not secure.

This is a clear and present concern. In the most recent Quebec referendum, for example, which was a very close vote, if after the fact—or during, but certainly if after the fact—it was learned that the Parti Québécois or the Liberals had serious breaches of their databases and that those voters were targeted by outside influences to vote one way or another on the question, you can imagine the fallout from that on whoever won or whoever lost. For a country like ours, which, as Mr. Dion used to say, works better in practice than it does in theory, we shouldn't have anything built into our political or democratic infrastructure that threatens our ability to conduct ourselves and to have the will of the voters expressed as cleanly as possible into the parliament they elect.

Marc Mayrand was joined by, of course, our Privacy Commissioner, who said, and I quote, “Nothing of substance in regard to privacy”, and a requirement to have publicly available data policy is a 'hollow” requirement.

The Chief Electoral Officer, whom members on the government side have referred to continuously in support of amendments you have made, said:

If there is one area where this bill failed, it is privacy. The parties are not subjected to any kind of privacy regime.

In answer to a question he said, “I think the time has come for that, and privacy commissioners around the country are of the same view.”

David Moscrop joined that conversation in support of bringing this in.

Victoria Henry from Open Media said that the “omission of political parties from privacy legislation is a concerning gap”.

I'm quoting there, as I will Dr. Dubois, when she said:

This proposed legislation does not include any form of audit or verification that the policy is adequate, ethical, or being followed. There are no penalties for non-compliance. There are no provisions that permit Canadians to request their data be corrected or deleted....

All that's in this bill right now, as committee members know, is the requirement that parties simply publish a privacy policy somewhere on their website. It doesn't say whether that privacy policy should do anything, and it doesn't say that if the party breaks that privacy policy as stated, there is any consequence.

That is meaningless. It really is, folks. If a Canadian challenges a party and says, “I think you've lost my data. I'm getting all sorts of calls from certain groups or certain people trying to sell me things, and I told you on my doorstep that I'm concerned about the environment”, or “I'm concerned about taxes”, there are exactly zero consequences contemplated under Bill C-76 for a data breach from any of the parties. This has to be concerning. This is way beyond right-left partisan politics.

This is simply about trying to address a gap in our legislative ability to run free and fair elections in this country. I've talked with the minister from day one about this. From having talked to some congressional colleagues in the U.S., who said, “If you do anything, fix this gap. You guys are naive; you're boy scouts; you think you're not going to be got after because you're nice people”....

That's not the way it works. Outside influences, inside influences, just looking to disrupt—again, imagine the experience we had in Quebec—a fundamental question going on within one of our provinces, not even to push voters, but to cast doubt....

As we've seen, Chair, when we're talking about election laws, one of the things we're always safeguarding is that on election night, when the results are released in each of our ridings and then the grand result is released for Canadians, win or lose, Canadians accept the results as being good, whether they like them or not—but they weren't tampered with and they weren't affected.

This is one of the things that maintains that assurance for Canadians. Without this, we're in a whole different world, because we collect an enormous amount of information about Canadians. I seem to be the only one around this table admitting that, but we all know it for fact to be true, and we don't have the proper protections, because data is so powerful these days. We watch it all the time. It's only going to increase.

This problem is not going to get better on its own, right? It's not as if parties are going to give up collecting data and are not going to get increasingly sophisticated, yet our security systems are not in place to protect what is so valuable to the functioning of our democracy.

Thank you.

Mr. Graham.

I worked in the technology industry for most of my career before getting into politics. I'm aware of the issues and I don't disagree with what you're saying. I don't think the appropriate way of doing this is by a single amendment putting this under PIPEDA. I think it requires a much fuller study, and I am totally in favour of doing a fuller study here at PROC as soon as this bill is done.

I know what you're going to say, but it's a much bigger issue than one amendment to one bill for one effect, because if you were to put the entire political system under PIPEDA in one amendment with no study, with no research on what the effects are on the political process versus other things....

So yes, I would like to get to where you want to go—to privacy protections for political parties—but I think you have to do a study on how to do it properly.

We know that another committee of Parliament, the privacy and ethics committee, has studied this and they've recommended this.

To your point about more study, and I am not accusing you of this, David, it is one reason that I have heard from government too often when they simply don't want to do something—“let's study it”. We're a year away from the election and we are ill prepared for this threat. Parliament has studied this. Parliament made the decision at another committee to do it, and we're going to reject that, which is what we're actually saying....

Ms. May.

Thank you, Chair, because I know that your committee motion didn't require you to give me a second crack at this.

I just want to mention that I tried to amend this when it was Bill C-23, the Fair Elections Act. I brought forward an amendment to have the Privacy Act apply. This time, I modified it to having the Personal Information Protection and Electronic Documents Act, PIPEDA, apply.

Based on the advice we're hearing from our Chief Electoral Officer and from experts in privacy, if we wait, David, with all due respect, we'll be having the 2019 election with inadequate protection of Canadians' privacy data, and we know what can happen. As Nathan was talking, I remembered that when Irwin Cotler was in Parliament with us—it was a huge honour to serve at the same time as Irwin—he was so upset because he told his campaign staff to make no phone calls on High Holy Days, no phone calls, and somehow somebody had the database of the Jewish families in his riding and they all got calls on Seder. They were interrupted if they were at the Seder feast by calls from the Irwin Cotler office.

Now, we don't know who made those calls, but it's a misuse of privacy data to be able to know who is Jewish, who is likely to be home, and who could be offended by the misuse of data. Our privacy data is private, and Canadians should have a right to be able to say to any political party, “Show me what you've got on me—I want to know.” That's a right Canadians should have. There's no reason, ethically, practically.... There is no justification for political parties to be the only exempt operators who collect data, and boy, do they collect data.

We collect as much as we can. We don't have as much as you guys. I will never forget talking to Garth Turner. He put this in his book. It was about the FRANK system, which stands for friends, relatives, and neighbours' kids, in terms of what his former party was collecting.

We've got to fix this. We've got one shot and it's in the next half hour.

Are we ready to vote on PV-10?

I would like a recorded vote, Chair.

(Amendment negatived: nays 8; yeas 1 [See Minutes of Proceedings])

(Clause 254 agreed to on division)

We'll take a break.

Witnesses, please eat so that you're strong for the next part of our session.

We won't be very long. Bring your food back to the table, please, and we'll carry on.

Thank you.

Welcome back.

Thank you again to all the committee members for very positive decorum and for positively disagreeing.

(On clause 255)

There's one proposed amendment and that's NDP-21.

Mr. Cullen, you could introduce that.

Very good.

This is for colleagues who were feeling that PV-10 was too much, too fast and too quick; who are interested in privacy; and who understand the concerns of the experts we heard from, the Privacy Commissioner and the Chief Electoral Officer. Everybody hears those concerns and wants to do something about it, because how could you not? That would be my argument. In that case, NDP-21 is for you.

Here's what it does. It works with the Chief Electoral Officer to develop directives in consultation with the Privacy Commissioner and to work with the parties to establish guidelines. Those guidelines are then given into directives, and the Chief Electoral Officer can use those directives. It doesn't invoke PIPEDA. This was one of the concerns I heard, particularly from Liberal members, that PIPEDA was too much; it was too much on parties. This does not insist upon that.

This is exactly our job—to independently, as MPs, get elected to a committee, listen to the witnesses, glean the best information we can from them, and do right by Canadians. I suspect, or I presume, I suppose, there's a certain amount of pressure on colleagues to not vote for things that folks back in the party offices don't want to do.

This has two effects, one in practice and one in support of good behaviour. In practice, I think having real privacy policies that are in force, that work with our Chief Electoral Officer...which, again, this entire committee has referenced dozens of times and holds up in high esteem. It also has a secondary effect, where if anybody within the party structure is tempted to do something—such as, I don't know, a robocall into ridings illegally—these types of policies prevent that behaviour, which is what the law is supposed to do. It's not just to catch people when they do wrong. It's also to give enough warning so that when people are tempted, they're not really tempted to enact it.

I really believe we heard everything we need to hear from every witness. If a colleague can recall the testimony of a single witness who said something like this was a bad idea, from all the witnesses we heard, or if colleagues want to look through the ethics and privacy committee, which studied this as well, to find a single witness of any political persuasion who came forward and said Parliament shouldn't do something like this, I would love to hear that testimony. I feel pretty confident that we didn't receive that testimony, and neither did our corresponding committee at privacy and ethics receive that testimony.

A number of us on that committee visited Washington last year. Facebook and Congress and Twitter and a whole bunch of groups that are involved with this issue all gave us the same warning: Your laws are insufficient. We thought we had enough protections. We did not. When a hack happens, it's too late. When the illegal robocalls go out, it's too late.

I just implore colleagues that this is as soft a move as we can make while still ensuring that we get the job done. Like, really; the pleas to study more will be pretty weak when something bad happens. When we're asked what we did about it and we say “Well, we promised to study it more”, we'll hear, “Well, thanks”.We don't do this for any other section of law.

I'll end with this, Chair. This puts some of us in what I almost want to say is a direct conflict between our responsibilities as members of Parliament and members of political parties. The political parties generally don't want this. I know: I've talked to your parties about this. They don't want it. And I know why. They'd rather have it as it is, because status quo means nobody has any idea what the political parties are gathering and what we do with that information.

We don't work for political parties. We may represent them, and fly under various banners, but we work for the people who sent us here. I believe if you sat down with the average Canadian and told them what happens when they click on a survey or when they press “Like” on Facebook; what the parties do with the data; that the parties have very little to no protection to keep that secure; and the potential consequences if that data is breached, then the average Canadian of whatever political persuasion, from the right to the left, would say, “That's crazy. Can you do anything about it?”

Here's something we can do about it. I'll read from the amendment:

385.2 (1) The Chief Electoral Officer may develop directives, in consultation with the Privacy Commissioner, in respect of the protection of personal information by registered parties.

In proposed subsection 385.2(2), the subsections that are named turn guidelines into directives. Proposed subsection 385.2(3) would read:

The Chief Electoral Officer may deregister a registered party if that party's policy for the protection of personal information does not comply with a directive made under this section.

There is a consequence. Posting your policy on your website with no consequence—come on—is totally meaningless. It's checking a box. You don't even have to do it, and if you put up some policy and you don't do it, there's no consequence to you breaking whatever it is you wrote down.

That's not taking this issue seriously. This is an attempt to take the issue seriously.

Elizabeth's motion did more, and we supported it. This motion takes us down the path of us getting serious about privacy. It's 2018, and we're going to the polls in 2019. If anyone believes that this problem isn't only going to get worse for 2023, you're dreaming, and that's what the experts told us.

Don't listen to your parties on this.

We did not support Elizabeth's initial initiatives on this two or three years ago. It took a long conversation with some of the people running my party, saying to suck it up, that they're going to have to develop some privacy policy and we're going to have to be accountable if we break it—real ones—and so they did.

I'm here and able to say it, and not with everybody in my party who works on the data side thrilled about it, but I don't care; I don't work for them.

I ask members to support this amendment. We should do this. The evidence told us we should do this.

I have a couple of questions for clarification.

One is, can you tell me really briefly what the ethics committee study was? What was its mandate?

They actually recommended that PIPEDA apply to the parties.

But what was the topic?

This was about data and data breaches.

You have to remember—