Mr. Speaker, it is a pleasure to rise and speak to Bill S-4, which would amend the Personal Information Protection and Electronic Documents Act, called PIPEDA. The bill has the rather misleading title of the digital privacy act.
I will be speaking against this bill for a number of reasons that have been articulated very well in past debates by the member for Terrebonne—Blainville, our digital issues critic. She has brought in a bill of her own. The government took parts of it and did not go as far as it needed to, to actually protect the digital privacy of Canadians.
I would like to, first, talk about why this is such an important bill. Second, I will talk about the history of getting it here. Last, I will talk about some of the critical problems with this bill and propose an amendment at the end of my remarks.
E-commerce is the backbone of the modern Canadian economy and it is only going to be more important going forward. Think of our children and their use of digital material.
My colleague, the member for Toronto—Danforth, made some comments about e-commerce and why this bill, which underscores legal protections for privacy and e-commerce, is so important. He said that the world's largest taxi company has no cars. It is the largest taxi company because it has personal information. It is called Uber.
The world's largest accommodations company, Airbnb, owns no property, but it is the richest and largest company because it owns personal information. The world's largest retailer has absolutely no inventory. He was referring to Alibaba in China.
As we move to what my colleague called the Internet of Things, by 2020, we will have 26 billion devices connected to the Internet. I hope that people appreciate that we are moving into an economy where we need to know the rules of the game and we need to know that our personal privacy in the private sector is protected. Business wants that certainty and consumers demand that what is left of their privacy be treated fairly by those private sector organizations that hold their information.
Canada is really in a unique position on the planet. We are halfway between the European Union, which has a very aggressive data protection regime, and the United States, which has sectoral legislation but not a comprehensive private sector law like PIPEDA, the bill that is before us in its amended form.
I say that we are halfway between those two regimes because, under PIPEDA, Canada has managed to create what is called a substantially similar regime to the European Union. That means that e-commerce companies in England, Ireland, France, and the 28 other countries that make up the EU can confidently share their personal information with Canadians because they know that they will have substantially similar protection. Canada achieved that. The United States does not have anything like that, so companies like Google and Facebook will often use Canada as a launching pad.
If we can make privacy protection sufficient in Canada, it will likely be sufficient for Europeans, who have had the most stringent requirements of privacy on the planet. It is important that we get this right.
It is amazing and very timely that we are having this debate at this time because on Monday of this week a clear signal was given by the Council of Ministers in the European Union that it is going to go for a regulation soon, not the directive that has been enforced for some time. After two years, all 28 countries will have to come up with an even more stringent regime.
That is why this bill is so problematic. It would not help small business, as I will describe, and it certainly would not give consumers the protection that the courts say that they are entitled to. I refer to the case of Spencer in 2014, where warrantless searches were said to be not on for Canadians, yet they seem to be just fine in this bill, which is odd. We need it get it right from a commercial point of view, as well.
I am indebted to Professor Michael Geist, who testified before the industry committee and the Senate, and who is so prolific and thoughtful in his analysis of private sector privacy legislation and other privacy regimes. He talks about how it is has taken us eight to nine years to get to this state.
I wanted to talk about this because the government's ineptitude in helping the e-commerce industry that I talked about and protecting the privacy of Canadians is on full display in the history of this bill.
The Conservatives tell us that it is urgent, that we must get on with it. Well, that is because they have dropped the ball, as I will describe in many ways. It has taken eight or nine years to get to this situation.
The Conservatives left an earlier version of a privacy bill sitting for two years in the House of Commons with no movement whatsoever and then it died at prorogation. How did that happen? In November 2006, the Standing Committee on Access to Information, Privacy and Ethics undertook its hearings on this reform. That was one year later than the five-year review process required by the act.
Just to back up, PIPEDA, the bill before us that is being amended, requires parliamentarians to review it after five years. They could not even get that deadline together.
In 2007, there was a report recommending certain things be done. Nothing seemed to happen. First reading was in 2010 for Bill C-29, the first PIPEDA reform. Second reading of the bill was in October. In September 2011 there was the first reading of Bill C-12, the second attempt to reform PIPEDA. That never got past second reading. It died when the government prorogued. Then another bill, this Bill S-4 was introduced in April 2014. This was the third try. Three strikes are lucky, I guess.
Here we are before Parliament with a bill that when it was in committee, the government said solemnly that it was urgent that we get on with it because it did not want to take a chance on any further delays and amendments. It is laughable the way the government treats the backbone of e-commerce, this privacy legislation. It has taken eight or nine years to get to where we are tonight. In the dying days of Parliament we are debating the legislation. It shows how important this must be to the government of the day.
In my riding, where we have a thriving e-commerce industry, with start-ups trying to develop apps and so forth, the bill is important and the government treats it with a history of neglect, which is the best way I can put the ineptitude I have described.
It is critical for small businesses, as I will describe, because they just do not have the wherewithal of large business to comply with some of the provisions of the legislation. I will come to that in a moment.
What does the bill do? Some of the things it does right is that it has finally agreed with endless Privacy Commissioner recommendations that there ought to be mandatory breach disclosure. If there has been a breach of data by a company, where it is sent to the wrong place and suddenly my personal information is found in the back of a taxi cab on a data stick, someone has to be told about it. That is pretty simple and obviously long overdue. That is a good thing to have in the bill.
Second, there are increased enforcement powers for the Privacy Commissioner, including the notion of compliance agreements that companies would enter into. This is a long-standing consumer protection approach that has now found its way into the bill.
According to experts, such as Mr. Lawford, testifying on behalf of the Public Interest Advocacy Centre, it would likely result in fewer reported breaches because it leaves the determination of whether a breach causes a real risk of significant harm entirely in the hands of the private sector companies.
Do the words “conflict of interest” seem to come up? They do and that obvious conflict of interest is fatal to the purpose of the bill. Why is a company going to want to blow the whistle on itself? It seems a bit odd and others have suggested, as has my colleague from Terrebonne—Blainville, in her Bill C-475, that it ought to be for the Privacy Commissioner, an independent officer of Parliament, to pass on that, not the industries themselves. That was the subject of much criticism in the industry committee, which studied Bill S-4.
That gives me a chance to talk about the attempt by the opposition to actually get meaningful debate in the industry committee. Since I got here, probably the most disappointing thing I have found is the government's utter indifference to any amendments unless they come from its side of the aisle.
There is an effort to have a real dialogue and to improve this and come up with a kind of unanimous support for something which is technical in nature, but the government said no to every single amendment, which, of course, in my experience is the way it does it every single time. I have been on two committees and I have not seen one amendment passed that anybody but the government proposes.
Trying to co-operate with the government to do something which is at the backbone of the new economy and it will not even talk to us. Apparently, that is how the government wants to do business. Fortunately, like so many Canadians, I hope that these are the dying days of a government with such arrogance and indifference to what Canadians want.
The efforts to try to fix this bill fell on deaf ears. My colleague, the digital critic from Terrebonne—Blainville, proposed that the Privacy Commissioner be the one who determined whether a data breach was significant enough to report, which makes sense, as opposed to the fox in the henhouse, where a company has to decided whether it is big or little.
That is not for banks to decide, whether they weigh their reputational risk that they might have versus consumers' rights. I know who could do that, an officer of Parliament. That would be the right person to do that. That is what my colleague suggested. The Conservatives propose putting the burden on companies.
Here is the problem with that, and not only the obvious conflict of interest but there are large companies, think banks, telecoms, companies of that size, that have departments that are responsible for privacy protection. More and more companies have what is called chief privacy officers to regulate this very technical area of the law.
They do a good job sometimes, but they often have this penchant that they obviously feel when they are trying to protect privacy, which is their job description, and not make a career-limiting move when information that is disclosed could cause harm, and the company would be angry with them and shoot the messenger. I have talked to CPOs in companies that tell me that the conflict is alive and well and I can understand that.
Small companies do not have these chief privacy officers, for example, to determine whether there is a significant breach or a significant risk of harm. They have no idea what to do. They want to co-operate, but they do not have the personnel or expertise to do it.
My colleague reasonably suggested that we give them a little help by letting them have access to the Privacy Commissioner's expertise and resources. Is that not a common sense provision? Is that not one that would help those small start-ups in the e-commerce industry that would really like the opportunity to do the right thing but do not have the budget to do it?
The economy in my community, the largest sector now, is not tourism or hospitality, it is high tech. The people who are producing the largest contribution to the Victoria economy are people who are just in this situation, wanting to understand the rules of the game in the new e-commerce, looking to the government to give them clarity, make it easy for them to do the right thing, so they can compete internationally, as they are doing so effectively, and to be onside with the European Union's incredibly stringent rules.
Guess what? They do not have a CPO, paid $150,000 a year or whatever, like the large banks would. The government has done nothing to assist them and they are angry about it. They do not understand why this so-called business-friendly government simply does not get it.
Some 18 amendments were proposed by the NDP and 18 amendments declined by the government of the day. We tried to work it out, but the government just wanted to jam it through. To add insult to injury, for the 97th time it used time allocation on a bill of a technical nature like this. I think the government is over 100 times now.
In the history of Parliament, has there ever been a government that has done this more often? I certainly do not know. I want to study it. I have a student looking at this because the arrogance and the anti-democratic behaviour of the government has to be exposed. The 97th time was for a bill on digital privacy. It is shocking and shameful that we are in this world today with this government.
The Supreme Court has told us that warrantless searches are wrong. They are unconstitutional. My colleague from Toronto—Danforth said we should send it to the court for a constitutional reference. We cannot have yet another loss in the Supreme Court. How many would that be? I have lost count. It is six or seven. How about having a reference to the Supreme Court of Canada?
The leader of the opposition asked for that today with respect to Bill C-51. The government, of course, would never do that. It just wants to go lose again in the Supreme Court.
The Spencer case in 2014 established that warrantless searches are a bad thing. How can the government then put these searches into Bill S-4, the bill before us, and pretend it is going to be constitutional? It is great work for lawyers. I have many friends who welcome the government's position because it is a make-work project for constitutional lawyers, but is it helping the Canadian taxpayers? Is it helping the e-commerce businesses, those little businesses from coast to coast that are struggling in this international economy? Do they have the clarity they need to go forward? Why do we have to waste our time with yet another Supreme Court loss by the government? It makes no sense.
Could the government have co-operated a little with people of good faith who wanted to make it better and solve this problem, as New Democrats tried to do in committee? One would think the government would welcome that, but it simply said no.
My next point is kind of a technical thing, but I want to raise it. We talked about breach notification, and I want to give an idea of how complicated this is for the little mom-and-pop or individual family businesses that are now arising in the economy. Clause 10, which would add section 10.1 to PIPEDA, talks about the kind of notification that is required when there is a breach. I want to give an idea of how complicated this can be and how lack of clarity means something.
Proposed subsection 10.1(5) says, “The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.”
Three times the word “prescribed” is mentioned, which means it will be prescribed by regulation to follow later. There would be regulations that would define the kinds of things that would have to be done to give notification of a breach. However, as an example, let us take a small business that is trying to do the right thing. When there is a breach, it wants to notify people immediately. What is it going to do? Until there are regulations, it is utterly meaningless.
I know the government will bring in regulations eventually. That is a good thing, and I am sure companies are looking forward to seeing them, but as they plan ahead in this incredibly dynamic sector, they do not have a clue, and neither do we. None of us can say what those prescribed requirements are, because “prescribed” means to follow later in regulations, regulations nowhere to be found. People will have to try to figure that out. People sitting in a little start-up in Victoria or St. John's or Toronto or Montreal will have to try understand how to work their way through this difficult bill.
It is a history of neglect. It is a history of failure to listen to the opposition, which wanted to work together to create this regime. It has a history of eight or nine years in coming to the dying days of Parliament, but we should not worry, because it is urgent now, according to the Minister of Industry.
New Democrats do not believe it.
Therefore, I move:
That the motion be amended by deleting all the words after the word “That” and substituting the following:
“this House decline to give third reading to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, because it:
a) threatens the privacy protections of Canadians by allowing for the voluntary disclosure of their personal information among organizations without the knowledge or consent of the individuals affected;
b) fails to eliminate loopholes in privacy law that allow the backdoor sharing of personal information between Internet service providers and government agencies;
c) fails to put in place a supervision mechanism to ensure that voluntary disclosures are made only in extreme circumstances;
d) does not give the Privacy Commissioner of Canada adequate order-making powers to enforce compliance with privacy law; and
e) proposes a mandatory data-breach reporting mechanism that will likely result in under-reporting of breaches.”