Mr. Speaker, I am very pleased to rise today in strong support of Bill S-4, the digital privacy act. I am also pleased to be able to tell Canadians young and old, as well as businesses, exactly what this bill would do for them.
Bill S-4 would provide important updates to our private sector privacy law, called the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA. This bill is all about keeping our laws up to date in the rapidly burgeoning digital economy.
The biggest thrust in the protection of Canadians' online privacy, which we eagerly and sometimes maybe too eagerly jump to use, as this is a place where we go to surf, shop, and sell things, is to improve the protection of people's privacy. Our government understands that for a strong digital economy to work and for people to feel confident using this technology, they have to know that they are receiving those protections.
We have consulted very widely with business, with consumer advocates, and with a lot of real people, like moms and dads, to come up with this bill. Our consultations have shown one thing that is very clear, which is that people value their privacy. It is very important to Canadians. As a country, we regard it as a fundamental right, and we expect our personal information to have certain protections. All of us want to be able to embrace this great opportunity that is the web, and we want to have trust and confidence that our information will be protected when we are out there swiping our credit cards, punching in our PIN and pass codes, and giving out our names and addresses at stores and other places where we do businesses. Really, we are putting the details of our personal lives out there in the hands of businesses and other organizations.
Earlier this year, our government launched Digital Canada 150. This was an ambitious plan to give Canadians confidence that they can take advantage of the full opportunities of the digital age. One of the main pillars of Digital Canada 150 is protecting Canadians, and that is where Bill S-4, which we are talking about today, comes in. It would take what is already one of the world's best privacy regimes and make it even better.
The digital privacy act has five key areas, and I would like to touch on each one and explain for my hon. colleagues why each one is necessary.
The first area is mandatory notification if there are data breaches. These are requirements for companies to let us know if our personal information has been lost and there is a potential to expose us to harm. The time frame companies would be given to do this under this bill would be as soon as was feasible. For example, if a company's computer system was hacked and the clients' credit card information was stolen, the company might need a week to put a fence around it and figure out how many people had been affected and let us, as consumers, know. If the data breach or the hacker was more sophisticated, it might take the company a couple of weeks to figure out everyone who was affected and let us know. There would be some flexibility, but one thing that would be very clear would be that companies could not delay notifying us when there was this kind of breach.
If a company was hacked and it failed to notify clients in the shortest time frame possible, it could be taken to court by the Privacy Commissioner or by individuals. In addition, if a company willfully covered up a data or privacy breach, it could be charged up to $100,000 for every client that had not been notified. We see that these are very significant penalties. Recent revelations that large everyday retailers we deal with, such as Target and Home Depot, were victims of cyberattacks underscores the need for this legislation.
Also, the Privacy Commissioner would have to be notified, so if an organization deliberately covered up a privacy breach or intentionally failed to notify individuals or the Privacy Commissioner, again it could face significant fines.
The second set of changes in Bill S-4 deals with the rules around vulnerable individuals, especially kids.
The government examined this issue very closely as well and talked with experts and other interested parties. Based on this, it put new measures in the digital privacy act that would make it very clear that to give valid consent for information to be collected online, a person's age would have to be taken into account. For example, if one had a website specifically targeted at children and wanted to collect information, one would need to put in something like a pop-up that would say, “before filling in this information, go get your mom and dad”. Children's interests would now be put forward, and that would have to be done using very simple language.
These measures would put more power in the hands of consumers and would keep them better informed when they were out there doing business involving the worldwide web. They would also encourage businesses to adopt better privacy practices.
At the same time as we would be adding new privacy protections, we would also be removing some red tape. The third set of changes would ensure that businesses could collect data they needed to do legitimate business things. I want to stress that these changes would be limited and very much common sense. For instance, believe it or not, right now businesses are breaking the law if they give their own employees' email addresses to customers and clients without the employees' permission. Things like that just do not make sense.
These amendments would let businesses use personal information produced at work; disclose information, such as employees' salaries, that might be important if one were buying or selling a business; use information that might be contained in a witness statement to process an insurance claim; and keep information that is necessary in a regular employee-employer relationship. Businesses would be able to use this information to support normal day-to-day business activities, but, and there is a big but, they would still have to make sure that the privacy of that information was protected and not compromised. If they did not play by the rules, companies could be named and shamed and taken to court and fined.
The fourth group of amendments would allow certain information to be shared without necessarily first allowing for a person's consent if it was shown to be in the public interest or in that person's interest to do so. It would harmonize federal law with Quebec law, Alberta law, and British Columbia's private sector data protection acts.
One might ask what kind of instance that would be. For example, it would protect seniors from financial abuse if a bank noticed that there was some untoward activity going on in their accounts. It would allow emergency, police, or medical officials to communicate with a person's family if the person were injured or deceased.
Who would enforce all of this?
PIPEDA is enforced by the Privacy Commissioner of Canada, who acts like an ombudsman and who would get stronger tools in this legislation. The Privacy Commissioner could turn a matter over to the Federal Court if an organization were breaking the rules, and the court could levy fines and order the company to clean up its act. As well, citizens could personally take companies to Federal Court to order them to change their practices or could ask the court to award personal damages.
The bill would also boost the time available for a complaint if one was going to take an organization to court. It used to be 45 days, but under this proposed legislation, it would grow to a year.
Finally, the digital privacy act would create a new tool that would be an alternative to court action. The Privacy Commissioner could negotiate a binding deal with a company to make significant changes to comply with the legislation in exchange for not being taken to court.
This is all about confidence. It is about the consumer having confidence when having their personal information used so that they can do trade and commerce. They can surf the web. They can buy and sell with confidence and know that they and their families are safe online.
Bill S-4 would provide the necessary updates we need to privacy laws to protect consumers. It is a major part of our government's digital economic strategy, Digital Canada 150, and I urge all hon. members in this House to join with me and support this important piece of legislation.