Mr. Speaker, I am pleased to speak about a topic as important as privacy protection.
We need to amend the Personal Information Protection and Electronic Documents Act to bring it in line with the reality of the digital era. The bill seeks to impose new requirements for the collection, use and disclosure of personal information by a company or organization.
What really bothers me about this bill is the provision that would allow organizations to share personal information without a warrant—yes, I did say without a warrant—and without the consent of the individual concerned. That is a major problem.
Even though this bill is called the digital privacy act, it contains a provision that could really interfere with the protection of privacy. I find that deeply contradictory.
Once again, this Conservative government has proven that it spends more time coming up with grandiose titles than working on content. It is also extremely important to point out that between the drafting of this bill and today's debate, the Supreme Court ruled that information such as the data that Internet service providers have on users and clients—IP addresses, email addresses, names, telephone numbers, and so on—is considered personal information and cannot be obtained without a warrant. I am not the one saying that. It was a Supreme Court ruling.
I have some serious concerns about the constitutionality of this provision. The government must comply with the Supreme Court's ruling and remove all the provisions enabling the disclosure of personal information without a warrant.
During the study in committee, a number of witnesses expressed concerns about this very provision. For example, the Privacy Commissioner said the following in a submission:
Allowing such disclosures to prevent potential fraud may open the door to widespread disclosures and routine sharing of personal information among organizations on the grounds that this information might be useful to prevent future fraud.
We want to protect privacy, but it is questionable to allow access to personal information without a warrant, without consent, without any kind of judicial oversight and without transparency. The Conservatives have a poor record when it comes to protecting privacy, and Bill S-4 will not erase the past.
In one year alone, government agencies secretly made at least 1.2 million requests to telecommunications companies for personal information, without a warrant or proper oversight. Why did they ask for this information? We do not know.
The government should have taken advantage of Bill S-4 to close the loopholes in PIPEDA that allow this kind of information transfer without legal oversight, consent or transparency.
There is another provision in the bill that made my jaw drop. This bill would require companies to declare a data loss or breach if and only if it is reasonable to believe that the breach creates a real risk of harm. In other words, it is up to the company itself to determine whether or not it should notify the authorities in the event of data loss. That is crazy.
This measure will actually give companies less incentive to report data breaches by leaving it up to the company whose data were breached to decide whether the breach creates a real risk of significant harm to an individual.
This blatant conflict of interest is what really kills the purpose of this bill because a company will see no benefit to reporting a data breach and every benefit to hiding it. Deciding that a breach is benign will save the company money, damage to its reputation and inconvenience
It will also help the company avoid being put under the microscope by the Office of the Privacy Commissioner of Canada for an audit or investigation. It will create a culture of non-reporting because the commissioner would be nothing more than an observer.
In conclusion, the Conservatives say that their bill is balanced, but we can do much better. We are increasingly aware of the harm that data breaches can cause, so we cannot create a bill that will barely be useful.
We need a bill that will do an excellent job of giving Canadians better protection from data breaches. This bill has not been looked at carefully enough, and we need to fix it. Canadians deserve better.