Mr. Speaker, unfortunately we will oppose Bill S-4 for the reasons I will provide in my speech.
What I am especially disappointed about is that we all voted in good faith for this bill to be studied in committee before second reading. We told ourselves that we could perhaps work together to improve the bill and eliminate the most problematic parts or ensure that it would truly protect Canadians in the digital age. Unfortunately, that did not happen, even though we know that there are more and more risks associated with protecting personal information online.
For more than four years, we have been in Parliament with the same government that rejects all our motions and refuses to work with us in committee. This time, I do not know why, but I had hoped that we could work together.
Usually, a bill is sent to committee before second reading because there are problems with the bill and we want to make changes. Perhaps we want to change something or make changes to PIPEDA that go beyond the immediate scope of the bill. We had hoped to work together. Unfortunately, that did not happen.
That is why I moved three motions today to remove the most problematic sections from this bill. These motions will be voted on together.
We heard over and over that these two sections—clauses 6 and 7—are extremely problematic. These clauses will make it easier to share people's personal information without their consent and without them even knowing that their personal information is being shared. The government is trying to broaden the scope of situations in which information can be shared without consent. That is extremely problematic.
Obviously, there are sometimes extreme circumstances that require personal information to be shared. Such situations exist. Everyone knows that. We take issue with the fact that there is no transparency. There is no mechanism in place to ensure that this information is shared only in exceptional and urgent circumstances. What is more, the threshold of reasonable suspicion is very low.
As a result, we voted against these clauses when the bill was examined in committee. Unfortunately, the Conservatives decided to go ahead with them anyway.
We even proposed amendments to improve these clauses by restricting the kind of situations in which information sharing can happen and creating a system that encourages transparency. There has to be an accountability or oversight mechanism to ensure that this information sharing only happens under exceptional circumstances. That is really not the case.
As I said, we proposed amendments to improve the bill because everyone in the House of Commons knows that protection of personal information is a big issue right now, one that is really important to our constituents.
I even give computer security courses to seniors in my community because they want to understand how to use new technology and they want to have a certain level of confidence when it comes to protecting their information and their identity.
Everyone agrees that this is an important issue and that we have to update PIPEDA to ensure that it can better address the threats present in the digital age in the 21st century.
Unfortunately, the Conservatives' approach was to put something on the table and refuse to accept any amendments or listen to what the witnesses had to say. They just forged ahead.
All of the parties proposed amendments, except for the Conservatives, of course, and all of the amendments were rejected. The NDP even proposed 18 separate amendments that were all rejected.
Most of all, I deplore the fact that from the beginning of the committee's examination of this bill before second reading, the Conservatives said they did not want to change anything. Why should we bother voting to send something to committee before second reading if, from the beginning, the Conservatives have already decided that they will not change anything? It makes no sense. It also demonstrates bad faith. We are supposed to examine bills with an open mind and a desire to improve them, correct their shortcomings and work together. That is what it means to live in a democracy.
The Conservatives even insulted some of the witnesses during the study in committee, telling them that they could choose to either vote for the bill in its current form or accept that there would be no changes to the Personal Information Protection and Electronic Documents Act before the next election. I understand we are having an election soon, but the Conservatives had plenty of opportunities to modernize the Personal Information Protection and Electronic Documents Act. There was Bill C-12, which simply disappeared because of prorogation. The bill that I introduced in the House contained very similar provisions to the ones found in Bill S-4, but the Conservatives voted against my bill.
These changes could have already been in the legislation. Unfortunately, the government suddenly says the timeframe is too tight and the only thing we can do is pass the bill as is despite all its problems and flaws. The government simply wants to pass the bill as is. I think the Conservatives are being disingenuous about this. To tell all the witnesses that the choice is between this bill and nothing is really insulting to them after they took the time to travel here to share their opinions and present their proposed changes.
Since the government rejected all the amendments and we did not manage to improve the bill, the NDP will have to vote against it even though we recognize that some provisions are a step forward, although they do not go as far as they should. Nonetheless, I cannot vote in favour of a bill that will create more opportunities for personal information to be shared without consent, without authorization, without the individual concerned being informed, and without a proper oversight mechanism. That is what this bill would do.
Clauses six and seven, which my motions would eliminate, will weaken the protection of privacy by allowing the sharing of personal information without the consent and authorization of the individual concerned. I already stated that the threshold was very low. I proposed raising the threshold so that the organization asks questions before sharing this information. The Conservatives refused. The Privacy Commissioner even raised concerns about this provision. He said that it could open the door to abuses, and that is what we found. This government made 1.2 million requests to Internet service providers to obtain personal information as a result of flaws in the Personal Information Protection and Electronic Documents Act. There have been actual abuses. As members of Parliament, we cannot consciously open the door to further abuses. However, that is exactly what clauses six and seven of this bill do.
I will now read what the Privacy Commissioner said at the February 17, 2015, meeting of the Standing Committee on Industry, Science and Technology:
Under the proposed amendments, potentially any organization will be able to collect or disclose personal information for a broad range of purposes without any mechanism to identify which organizations are collecting or disclosing the information and why.
This is very problematic because according to its title, this bill is supposed to create the digital privacy act. I am sorry, but there is a problem when parts of the bill contradict its objective. You do not have to be a genius to understand that.
I would like to share a quote from Michael Geist, who also testified at the Standing Committee on Industry, Science and Technology on March 10, 2015:
...the broad provision that we have here opening the door to massive expansion of non-notified voluntary disclosure without any of the kinds of limitations that we typically find even the courts asking for should be removed....With respect, it is both not well studied and ought to be fixed. Canadians deserve better.
He also took the opportunity to disagree with the process that the Conservatives put in place and the idea that we should pass this bill without amendment because we are out of time.
The warning mechanism for a data security breach proposed in the current bill is another problem. Many parliamentarians understand the need for such a mechanism. This was brought up in the committee on which I sit, the Standing Committee on Access to Information, Privacy and Ethics, while we were studying this bill.
As the Privacy Commissioner has said many times, we must require that organizations notify individuals when their data are compromised. In a number of cases, as with Target and Home Depot, the data of thousands of people have been compromised or lost completely. Since the people in question are not always informed, they are not in a position to protect the compromised data. That is a huge problem.
Bill S-4 fixes this problem but does not really go about it in the right way. The proposed model is much too subjective because it allows the organizations themselves to determine whether a data breach creates a real risk of significant harm to an individual. The organizations therefore have to police themselves. They also decide for themselves whether to inform, or not, the Privacy Commissioner and the individual affected of any data breaches that occur.
The model that I am proposing is more objective. I proposed it before when we were examining this bill in committee and when we were examining my private member's bill, Bill C-475, which could have been passed already had the Conservatives not voted against it. This model would give the Privacy Commissioner the power to determine whether a security breach is serious enough to inform the individual. Thus, it would not be up to the organizations to do it.
What is more, PIPEDA covers all organizations, from convenience stores to large digital technology corporations. Some organizations, such as convenience stores that have only a couple of employees, are unable to determine how serious a data breach is. It is therefore important to allow them to turn to an expert, namely the Privacy Commissioner.
I would like to read a quote from John Lawford, the executive director and general counsel for the Public Interest Advocacy Centre, who testified before the Standing Committee on Industry, Science and Technology on February 19, 2015. He said:
Unfortunately, Bill S-4, as written, will very likely result in fewer reported breaches than even now and operate in an opposite manner. Namely, it will create a culture of fear, recrimination, and non-reporting. Bill S-4, incentivizes not reporting data breaches by leaving the determination of whether a breach creates a real risk of significant harm to an individual totally in the hands of the organization that suffers the breach. This obvious conflict of interest is fatal to the purpose of the bill as there is no advantage to a company to report and every advantage to hide a data breach.
As he said, the proposed mechanism is much too subjective. It is unfortunate that the Conservatives refused to implement a more objective system.
This bill does not give the Privacy Commissioner the power to issue orders. The former privacy commissioner, Jennifer Stoddart, asked for that repeatedly. Provincial privacy commissioners also wanted it because they have that power.
All too often, organizations do not act on recommendations made following an investigation by the Privacy Commissioner. Big international companies do not think they need to comply because it is just Canada, but Canada's laws must be respected. When our laws and the Privacy Commissioner's recommendations are constantly ignored, we need to fix that problem.
We could give the Privacy Commissioner the power to issue orders, but there is nothing about that in the bill. Instead, it calls for compliance agreements, which do not go far enough and do not really motivate organizations to act on the recommendations because they are not orders. We wanted to fix this problem, but once again our proposal was rejected.
I would have liked them to adopt the model I proposed in Bill C-475. I suggested following the usual investigation procedures, after which the commissioner would issue orders and set a deadline for compliance. The parties would act in good faith. For example, if problems were not resolved within a year, the Federal Court would impose a fine.
This system would give organizations that comply with the law and the recommendations a chance, with no repercussions whatsoever. However, if we do not find a solution and do not encourage organizations to respect privacy, there will continue to be abuse, and the law and the Privacy Commissioner's recommendations will continue to be ignored.
Bill S-4 is a step in the right direction, but it does not go far enough. That is what I said throughout the entire study. As a matter of fact, some witnesses also said it was important to have a system that truly encourages privacy protection.
What is more, given that we studied this bill in committee before second reading, we had the opportunity to correct other problems with the Personal Information Protection and Electronic Documents Act, because we knew there were some flaws. Under what circumstances is it acceptable for the government to submit at least 1.2 million requests a year for personal information to Internet service providers? This is a serious problem, but nothing is being done about it.
I thought we could sit down as parliamentarians and come up with ways to put oversight and transparency mechanisms in place and even get rid of these flaws and abuses. This was a missed opportunity.
Recently, the Supreme Court established in Spencer what was reasonable and not with regard to privacy protection. Unfortunately, that ruling was not taken into consideration during the study in committee. The Personal Information Protection and Electronic Documents Act was not amended in order to make it consistent with the Supreme Court ruling. That needs to be done. The government needs to show some vision and correct these flaws to provide better protection of Canadians' privacy because that is what Canadians deserve.