Mr. Speaker, I will be sharing my time with the member for Kelowna—Lake Country. I appreciate the timeline on this.
I am pleased to rise in my place today to speak to Bill S-4, the digital privacy act, which would make a number of important changes to strengthen Canada's private sector privacy law, the Personal Information Protection and Electronics Documents Act, or what is more commonly known as PIPEDA.
Data breaches are very concerning to Canadians. In fact, a recent survey conducted by the Office of the Privacy Commissioner in 2014 found that news of data breaches among several large retailers had made 80% of Canadians more reluctant to share their personal information with businesses. This is simply unacceptable. Canadians needs to know that when they choose to share their personal information with a business, it will be protected and kept confidential.
The proposals in Bill S-4 will amend PIPEDA to significantly strengthen the current law and ensure that the privacy of Canadians will be protected when it comes to the rules that companies must abide by when they collect, use or disclose personal information in the course of commercial activities. In the current legislation, there is no legal obligation for businesses and organizations to tell customers and clients when their personal information has been lost or stolen.
The digital privacy act would correct this by making important changes to PIPEDA and implement new data breach requirements for businesses. These changes would ensure that organizations would be taking appropriate steps to notify Canadians. The requirement for mandatory notification is welcome by many stakeholders, in particular the Privacy Commissioner of Canada. In his recent annual report to Parliament on PIPEDA, he stated:
—we welcome the proposed amendment to PIPEDA in Bill S-4, the Digital Privacy Act, which seeks to implement mandatory breach notification.
He went on to say:
Mandatory notification will also provide a clearer picture of the frequency and type of data breaches experienced by organizations.
Mandatory notification would better inform Canadians of situations in which their personal information has been compromised. It would also enable Canada to keep pace with other jurisdictions where similar measures have been enacted or are being considered.
As we have discussed many times, strong rules are meaningless if they are not backed up with strong compliance tools. Bill S-4 would give the Privacy Commissioner of Canada the necessary tools to hold companies accountable when it comes to the protection of the personal information of Canadians.
In addition to the notification provisions, Bill S-4 would also require organizations to keep a record of the event, regardless of whether a breach posed a risk of harm. These records would not only allow organizations to demonstrate due diligence in the risk assessment, but would also require companies to keep track of when their data security safeguards fail so they could determine whether they have a systemic problem that would need to be corrected. What is more, organizations will be required to provide these records to the commissioner upon request at any time.
This record-keeping requirement will give the Privacy Commissioner the appropriate tools to hold organizations accountable for their obligation to report serious data breaches. Once again, I would like to quote the Privacy Commissioner's 2014 annual report, where he stated:
—requiring organizations to keep and maintain a record of breaches, and provide us with such information upon request would be an important accountability mechanism. Our Office would be able to evaluate compliance with the notification provisions and assess how organizations are deciding whether—