Debates of Oct. 20th, 2014

Mr. Speaker, I thank my colleague for her speech.

Why does she think this bill is being referred to committee before second reading? We asked for the same for other rather problematic bills such as Bill C-23 on electoral reform or the bill on tanker traffic.

In her opinion, why is this bill being sent to committee before second reading?

Mr. Speaker, I thank my colleague for the question.

It is important to send this bill to committee before second reading because, all in all, it is worthwhile. It would update a number of things.

What is more, this bill has flaws that need to be corrected. It would be good to work on these flaws and introduce a good bill. It might be a good idea to reach an agreement with the government to form some sort of team and introduce a bill that meets the needs of Canadians.

We could send this bill to committee immediately to correct its flaws, keep what is good and turn it into something really great.

Mr. Speaker, I am pleased to rise today and speak in support of Bill S-4, the digital privacy act.

Last April the Minister of Industry announced Digital Canada 150, an ambitious plan for Canadians to take full advantage of the opportunities of the digital age. It is a plan that sets clear goals for a connected and competitive Canada in time for our 150th birthday in 2017.

One of the five pillars of Digital Canada 150 is protecting Canadians. Our government understands that in order for Canadians to take advantage of opportunities in the digital age, we must protect Canadians' private information in the digital world.

Previously our government has taken action to protect Canadians by introducing Canada's cyber security strategy and Canada's new anti-spam law. Bill S-4 adds to our record of standing up for Canadians in the online world.

This bill introduces measures to update PIPEDA, the Personal Information Protection and Electronic Documents Act, by setting out specific rules that businesses and organizations would have to follow whenever personal information was lost or stolen.

I was pleased to see that the member for Terrebonne—Blainville supports this bill and I am looking forward to her support when the bill comes to a vote in the House. In fact, the member said about the bill, “We have been pushing for these measures and I'm happy to see them introduced.”

Data breaches continue to be a major challenge to the privacy and security of citizens around the world. For example, this past summer JPMorgan Chase & Co., one of the largest banks in the U.S., was the victim of an attack that affected the accounts of 76 million households and seven million small businesses. Home Depot recently confirmed that 56 million payment cards were impacted in a breach of its payment card systems that lasted for five months.

Worldwide, there were between 575 million and 822 million data breaches in 2013. In the U.S. alone, nearly 92 million records were compromised in 2013.

Currently PIPEDA contains no obligations for businesses or organizations to tell customers when their personal information has been lost or stolen. I am pleased to tell the House that Bill S-4 introduces measures to address this issue. The bill creates new requirements under PIPEDA for reporting losses, theft, or other unauthorized access to personal information that may result from accidental or malicious activity.

These provisions would ensure that Canadians can take action to protect their personal information in the event of a privacy breach, while also encouraging businesses to adopt better information security practices. Organizations that deliberately ignored these requirements would face penalties of up to $100,000 per offence.

Let me explain how the new provisions will work.

Under Bill S-4, an organization that suffers a privacy breach would be required to notify affected individuals if there is a risk of significant harm. The organization would also have to report the breach to the Privacy Commissioner of Canada.

In fact, the interim Privacy Commissioner, Chantal Bernier, said that this bill contains “...very positive developments for the privacy rights of Canadians”. She was pleased that the government had addressed issues such as breach notifications.

The bill identifies the factors an organization would have to consider when determining whether or not there was a real risk that some form of significant harm would occur as a result of a privacy breach.

First, the organization would have to consider the sensitivity of the personal information. Second, the organization would have to consider the probability that the stolen information would be misused—for example, whether the data was encrypted, how much time had passed between the occurrence of the breach and its detection, and whether the cause of the breach was a malicious attack or was accidental.

Let me say again that by law, an organization would be required to notify individuals as soon as a breach was confirmed. If an organization determined there had been a breach, it would also have to notify other organizations in order to reduce the potential risk for the individual whose information was compromised. For example, if a store experienced a breach of its customer records, it would have to notify the relevant credit card companies or financial institutions.

Let me draw the attention of the House to a key element of these data breach requirements, which is that the bill would require organizations to keep records of all data breaches and provide this information to the Privacy Commissioner upon request. This would give the commissioner the ability to oversee data breach reporting and notification requirements. The Privacy Commissioner would be able to request these data breach records at any time. There would be no need for him to be conducting an audit or investigation when he requests them.

Bill S-4 includes heavy fines for companies that knowingly contravene these new requirements. Companies that deliberately failed to report a data breach to the commissioner or failed to notify individuals would face fines of up to $800,000. This could be up to $100,000 for every individual not told. Similarly, companies that deliberately cover up a data breach by not keeping these records or by destroying them could also face fines of up to $100,000.

Some might ask why there is a need for penalties related to data breach notification, given that most organizations comply with the Privacy Commissioner's guidelines for voluntary notification already. The government recognizes that many organizations already notify individuals of data breaches in a responsible manner; however, some do not. These penalties would target the bad apples, those organizations that willfully and knowingly disregard their obligations or, worse, cover up a breach.

Canadians know that our government takes their privacy concerns very seriously. I look forward to the continuation of this debate as we work with the opposition on how we can best protect Canadians in our digital world.

Mr. Speaker, I would remind the House that we are debating a motion to refer Bill S-4 to committee before it passes second reading.

The member who just spoke talked about all the good aspects of Bill S-4, and yet he voted against my Bill C-475, which proposed more or less the same things, if not better protections for Canadians.

However, my question is more about the Supreme Court decision regarding a provision of this bill related to personal data. We do not know whether the Conservatives plan to change this provision during the study in committee.

Is the member who just spoke afraid that this bill will be considered unconstitutional? If not, why does he not want to consider the Supreme Court's decision in the Spencer case in relation to this bill?

Mr. Speaker, I know my hon. colleague has put forward a similar bill at some point in the past. What we are bringing forward here is clarity in the kind of bill that she had brought forward to ensure that we can eliminate much red tape and still ensure that we protect the privacy of Canadians with respect to the electronic digital messaging that would be interrupting their lives and making it known at that point.

With regard to other issues on enforcement, it is imperative that we put the responsibility in place and have penalties to discourage the bad apple companies that I talked about earlier from continuing their activities. We are looking at an opportunity to ensure that does not continue to happen.

From a constitutional point of view, I would urge members to support this bill so that we can move it forward and try to eliminate as many of the discrepancies as we can from that kind of debate.

Mr. Speaker, I hope I will not put my hon. colleague from Brandon—Souris on the spot to ask a question that relates to what the government House leader has done here. I do not have decades of parliamentary experience, but it is certainly unusual to have a bill from the Senate brought here to be sent to committee. This is a parliamentary procedure that I have not encountered before.

I am very curious as to why we are going through this unusual S. O. 73 approach, as opposed to the normal second reading that is followed by the bill going to committee. I wonder if he can enlighten me as to the procedural manoeuvring that we see for Bill S-4.

Mr. Speaker, it is important that we move the bill forward as quickly as we can so that we can put in place the laws that will protect Canadians' private information in the digital world. I think that is a key to being able to move the bill.

Certainly we are supporting the process of Bill S-4 coming forward. The Senate has put forth a good bill in this particular case. From listening to the debate here this afternoon and knowing that the opposition members are clearly on side with this type of legislation, I look forward to their questions and concerns as we move forward.

Mr. Speaker, I am pleased to rise in the House today to support the motion to refer Bill S-4 to a committee before second reading.

Bill S-4 amends the Personal Information Protection and Electronic Documents Act. I will talk a little more about that, but first I want to take a moment to talk about the motion itself, which aims to send the bill to committee before second reading. This is somewhat strange; this is the first time the current government has done this in recent memory.

It is rather interesting and makes me wonder. Why this measure right now? Why did the government decide to do this, when there were other bills? Is it because the government has its doubts about Bill S-4 and wants to send it to committee, we hope, to solve the problems in the bill? That is what I am wondering.

Although we requested that some highly contested bills be sent to committee before second reading, such as Bill C-23 on election reform, Bill C-33 on first nations education and Bill C-3 on transporting oil along our coasts, the government refused. I have to wonder why it refused to do so and why it is now making the rather unusual—or at least uncommon, in recent history—move to send Bill S-4, a bill that comes not from the government, but from the Senate, to committee before second reading.

Procedure is not one of my strong suits, but there are experts here who can clear this up for us. I find it rather interesting that when we send a bill to committee before second reading, as this motion would do, the scope of the proposed amendments can be much broader. In other words, we could make more extensive amendments since the study in committee is not restricted by the principle of the bill, which has not yet been approved by the House. That is interesting. We can hope that Bill S-4 will be amended and that we will end up with a more polished product, if I can call it that, so that it will be more acceptable as we go into second reading.

Bill S-4 makes a pretty significant change to the Personal Information Protection and Electronic Documents Act. I took a look at this act, which received royal assent in April 2000. As members know, 14 years is an eternity in the digital world. A lot of things have happened in the past 14 years. This act was the result of an extensive consultation with a wide range of experts at all levels.

This work was accomplished through broad consultation in 2000. It is clear that since 2006, with this government, consultations are restricted to very specific groups. It is interesting to see that in 2000, there was a broad consultation that culminated with the Personal Information Protection and Electronic Documents Act. Here is what that legislation does:

An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act.

That is the legislation that is being amended now. Another interesting part of this law is schedule 1. Certain principles were set out in the legislation about to be amended, and they are particularly interesting because they were set out in the National Standard of Canada entitled Model Code for the Protection of Personal Information. The 10 principles are as follows: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

I went to the trouble of reading those principles. I found them very interesting and I urge all members to read them. Like it or not, as members, we receive personal and confidential information in our riding offices. That is why we too have a responsibility to respect these principles of personal information and electronic document protection.

Right now, we are talking about a motion to refer Bill S-4 to committee before second reading. I mentioned that this has not happened often in recent parliamentary history. In the time I have left, I would like to take a quick look at what Bill S-4 will change.

This bill will make major changes to to the Personal Information Protection and Electronic Documents Act, which I just mentioned, by allowing personal information to be shared without the knowledge of the person concerned or without their consent under some circumstances. To me, that is a questionable way of protecting personal information. Companies would be allowed to share personal information under certain conditions.

As I read the bill, I really thought that there needed to be a better explanation of these conditions and some examples. For example, in a business transaction, when should personal information be shared without clients' consent?

Some aspects of the bill are positive, such as requiring organizations to take various measures when a data breach occurs. Even the current government has some transparency problems in this regard. The third aspect seeks to create offences in relation to the contravention of certain obligations respecting breaches of security safeguards. The fourth aspect would allow the the Privacy Commissioner, in certain circumstances, to enter into a compliance agreement with an organization.

Those are the four main aspects of Bill S-4 that raise concerns. Other aspects of the bill are positive and constitute a step in the right direction. That is why I support the motion to send Bill S-4 to committee to resolve the problems it contains that could result in a breach of privacy.

Mr. Speaker, I am rising to ask questions of my colleague on two matters. The first is a comment that the opposition welcomes the fact that we might actually get a chance to discuss a bill and propose amendments when in fact this very government has refused request after request from this side of the House to do that kind of procedure so that substantial amendments can be made. For that very reason, we are procedurally supporting this.

My second comment and question for the member is this. Again, the unelected Senate has come forward with suggested changes, improvements, and amendments to a bill. However, if there had been proper review and discourse with all sides of the House, it could have been improved to begin with. My concern in quickly looking at the bill, and far be it for me to profess that I know this area in detail, is that a good number of the security breaches are happening because of the government doing that, and yet this bill seems to refer to private organizations.

Mr. Speaker, I would like to thank my colleague for her question.

I read the bill and from what I understood it refers to private companies. However, there are some aspects that I will have to examine more closely. As my colleague mentioned, there are also concerns about the protection of taxpayers' personal information within the government.

Does the government use this bill to exempt itself from certain privacy requirements? That is an excellent question. From what I understood from reading the bill, it deals more with the protection of personal information by private companies. However, it is important to remember that the government also has a huge responsibility to protect personal information.

Mr. Speaker, I would like to thank my colleague for taking part in the debate on this very important bill.

At the beginning of her speech, she asked why the government wants to send this bill to committee before second reading, since it has introduced so many versions of it.

I had a conversation with my colleague earlier. She seems to have some concerns, and I think they are well founded. Could she share them with the House?

Mr. Speaker, I would like to thank the hon. member for Terrebonne—Blainville, who is our digital issues critic.

I would like to congratulate the official opposition for taking initiative and appointing a digital issues critic. We understand the complexity of these issues, which require an approach that balances rapid technological advances and the protection of privacy.

Her bill, Bill C-475, was a commendable initiative. The legislative summary that was prepared stated that the bill aimed to improve the protection of private information. We have to wonder why the government did not support such a worthwhile initiative.

We continue to point out that the government sometimes lacks a balanced approach. It sometimes freely grants the authority to monitor people without a warrant.

Mr. Speaker, I am pleased to rise today in support of Bill S-4, the digital privacy act. Bill S-4 would provide a foundation on which the government would hold business—

The hon. member for Terrebonne—Blainville is rising on a point of order.

Mr. Speaker, I listened with great interest to all of the Conservative members' speeches, but if memory serves and if I am in the right place on the agenda, we are debating a motion to refer Bill S-4 to committee before second reading. Every time a Conservative member rises, he says that he is talking about Bill S-4 and does not talk about the motion that we are supposed to be debating today. I understand that the two might be connected, but we are debating the motion and I think it is important to point that out.

I appreciate the hon. member for Terrebonne—Blainville's intervention. The hon. member pointed out that the comments being made in the context of today's conversation would be relevant to a debate on the bill.

The hon. member makes a point of order with respect to the relevance aspect because the question that is before the House pertains to sending the bill to the standing committee before second reading. It is a relevant point of order because it does call into question the issue of relevance.

Having said that, we appreciate that in the House there is a great deal of liberty and freedom that is given to members to pose their arguments in support of the question. As members might imagine, it is difficult to reason those arguments without referring to the content of the bill. We run into the same kind of issue with respect to debates on time allocation, for example.

While the member for Terrebonne—Blainville is correct that the question is really about sending the bill to committee, I would suggest in this case that it is in order for members to refer to arguments and make commentary about the bill itself, provided that they, of course, circle back and make their arguments pertinent to the question that is before the House.

I note that the member for Brant has just begun his remarks. I am sure that in the course of his 10 minutes he will bring those arguments around to the question that is before the House.

The hon. member for Brant.

Mr. Speaker, the legislation would provide the foundation on which the government would hold businesses to account on behalf of consumers.

It would establish new rules to protect privacy online and backs them up with more effective compliance and enforcement tools in order to strengthen the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA.

Under this bill, the Privacy Commissioner would be provided with a new set of tools that would help him or her perform oversight and ombudsman functions. At the same time, the courts would continue to enforce the law and could impose significant new penalties which have been added to encourage compliance with key requirements.

Through PIPEDA, the Privacy Commissioner has the responsibility for overseeing compliance with the act. He has the power to investigate, enter premises and compel evidence. He can mediate a settlement, make recommendations and publish the names of those who contravene PIPEDA. In short, the commissioner investigates complaints and works with companies to ensure they comply with the act, but enforcement action is left to the Federal Court. Indeed, the Privacy Commissioner and the Federal Court have worked together effectively to administer and enforce the rules set out in the act.

The commissioner or any other individuals can apply to the Federal Court for a hearing on any matter related to the original complaint. It is the court, not the commissioner, that has the authority to order the organization to change its practices. The Federal Court could also award damages to individuals when their privacy has been violated and they have suffered some form of harm as a result. Under the bill before us, both the courts and the Privacy Commissioner would be given new tools, but the responsibility for enforcement action would still remain with the court.

As has been mentioned, new offences and penalties would be created for three areas relating to the new data breach rules contained in this legislation. The courts can assess penalties for: deliberately failing to report a data breach to the commissioner, as prescribed by the act; deliberately failing to notify an individual of a data breach, as prescribed by the act; and deliberately failing to maintain or deliberately destroying data breach records, as prescribed by the act.

In keeping with existing offences under PIPEDA, these offences would be subject to a fine of up to $10,000 on summary conviction and up to $100,000 on indictment. I would point out to the House that the organization can be assessed a penalty for each and every individual it fails to notify. Given the large number of individuals who could potentially be affected by a data breach, this is a very serious penalty indeed.

At the same time, the bill would give the Privacy Commissioner the tools he or she needs to monitor the impact and efficacy of these new rules and serve as an ombudsman to help reduce the number of cases that go before the courts. The Privacy Commissioner would be given the authority to negotiate compliance agreements with organizations.

Let me give the House an example. Let us assume that following an investigation or audit, the commissioner determines that an organization should take certain corrective actions to remain compliant with the law. Under Bill S-4, the organization could agree to take these actions in exchange for the assurance that it would not be taken to court over the previous breach of the rules. However, the organization would also be legally accountable for any commitments made under the corrective action.

Compliance agreements are an effective mechanism for holding organizations accountable. They allow the Privacy Commissioner and organizations to avoid costly court action and provide flexibility to suit the particular circumstances that an organization finds itself in.

I would remind the House that compliance agreements are already being used by the Commissioner of the CRTC under the anti-spam legislation and the Minister of Health under the Consumer Product Safety Act.

By adding compliance agreements to the tool box of the Privacy Commissioner, we would strengthen consumer privacy protection without fundamentally changing the framework of PIPEDA or the role of the commissioner.

However, in order for this provision to work effectively, further changes to the regime are required. For example, under PIPEDA as it now stands, the commissioner has only 45 days after he or she reports the results of an investigation to make an application to the Federal Court to seek an order to take corrective action. Experience has shown that this is not enough time for the commissioner to work with companies to implement his recommendations and there is the risk that companies would simply stall in implementing the required changes until the 45-day period runs out.

On top of these challenges, 45 days is likely not enough time to negotiate and implement a compliance agreement. That is why the bill would increase the period of time to make an application to the court to one year from the time the commissioner reports the results of his or her investigation.

Finally, I would point out that the bill would give yet another tool to encourage compliance with the data breach provisions. It would give the commissioner the power to publicly disclose wrongdoing of an organization, if he or she considers it to be in the public interest to do so. Under the current act, the commissioner has limited provisions that involve the right to make public information concerning the personal information handling practices of the organization.

However, currently, he or she cannot publicly report when, for example, organizations fail to co-operate with an investigation or repeatedly stall implementation of the recommendations to fix privacy problems. Bill S-4 would broaden the types of information the commissioner could make public concerning non-compliant organizations. This is an important tool in encouraging compliance with the act.

As technology and the marketplace evolve, the commissioner and the courts need more effective tools to help hold organizations accountable for their handling of personal information, for the protection of Canadians and their privacy.

The bill before us addresses this need with four new tools. First, it would assign significant penalties for wilful disregard of the important new data breach notification requirements. Second, it would give the commissioner the authority to negotiate compliance agreements. Third, it would extend the length of time the commissioner or individuals have to bring matters before the court to one year. Fourth, it would give the commissioner greater authority to share more types of information about non-compliant organizations with the public.

I hope honourable members will join me in supporting these new tools for the courts and Privacy Commissioner by supporting Bill S-4.

Mr. Speaker, yet again, I listened with great interest to my Conservative colleague's speech.

I have a more specific question for him. I agree that a data breach notification requirement is essential. I even proposed a similar measure in my Bill C-475, which the member voted against.

In my model, I proposed an objective mechanism that would not make organizations themselves responsible for determining whether the data breach or leak was significant enough to notify the client concerned.

What Bill S-4 proposes is really subjective. It would have the organization make its own determination. Many lawyers, experts and academics have found this approach problematic. Does my colleague think that this approach is problematic?

Mr. Speaker, actually I do not find it problematic because in the business world, which is the frame of reference I would bring to the House on these issues, when we look at the rules and the new tools that the commissioner and the courts would have through the strengthening of PIPEDA through the bill, it warns organizations, more or less, that if they do not report these breaches and it is found that a breach has occurred and they used their own objective decision-making to not report, they would be subject to immense penalties as a result of doing that.

It would clarify for organizations that if there is even the slightest possibility of a breach, it needs to be reported. This would give the commissioner the tools to come in and enforce the rules with a fairly heavy hand.

Mr. Speaker, if I were to take a real example, let us say PayPal, as an organization or as a corporation, to what degree does the member believe that there needs to be any form of protection for consumers so that PayPal, for example, does not just release personal information it has acquired to a private company in regard to a purchase of an item or anything of that nature that could be related to copyright?

Does the member believe that there should be some sort of check in place to protect the privacy of Canadians?

Mr. Speaker, this is indeed what this privacy act strives to do, to provide Canadians with protection in the instances the hon. member is talking about, and it puts the onus on the business. In his case, the member used the example of PayPal. It puts the onus on the ethics of doing business, and it puts the consumer in a position of much greater protection as a result. If businesses violate those rules under PIPEDA, which this new legislation is strengthening, they would be subject to very severe penalties.

Really, around the decision-making table of these companies in terms of sharing information, it certainly sets out in the strengthening of this that we are taking Canadians' privacy very seriously. We are saying that companies may make these decisions, but if they are not the correct ones, if they are not ethical, straightforward decisions and they are trying to circumvent in any way, they would be subject to much more severe penalties as a result.

Mr. Speaker, I congratulate my colleague on her excellent speech, which really highlighted the different problems with this bill.

I would like to hear her thoughts, because she said that the government could have taken advantage of the opportunity afforded by Bill S-4 to correct the flaws in the Personal Information Protection and Electronic Documents Act, known as PIPEDA, which allow for a parallel system in which government agencies can simply ask Internet service providers to provide information on customers, such as their IP address. I would like her to talk some more about that and explain why it is important to correct these flaws in order to put an end to that non-consensual parallel system that has no oversight and no transparency.

Mr. Speaker, that is exactly it. There are no warrants, and there is no oversight or transparency.

Canadians do not like people tinkering with their privacy. It makes no sense and, quite frankly, it is unacceptable. Bill S-4 is not designed to correct the existing deficiencies. The bill contains measures that would increase warrantless access to the information of telecommunications company subscribers, for example. That is shameful and it makes no sense. We have seen some cases of abuse recently in the news. Do we want Canada to go in that direction by letting anyone do anything with the personal information that defines our life? What would be our recourse as Canadian citizens if that were to happen?

Identity theft is a reality, and this information can circulate and be used. Even the government has lost information. At some point, we have to be aware of what we are doing. I think that in light of the fact that this is being done without a warrant, without oversight and without any kind of protection, Canadians have a reason to be concerned. That is why we are sounding the alarm.