Mr. Speaker, unfortunately, as lawmakers we know from experience that there will always be those who will break the rules. That is why Bill S-4 would make important improvements to PIPEDA's compliance framework. These changes would ensure the commissioner has the necessary tools to ensure organizations respect the law and protect the privacy of Canadians.
The digital privacy act would set out serious consequences for any organization that deliberately ignores its data breach obligations and intentionally attempts to cover up a data breach. Bill S-4 would make it an offence for any organization to deliberately fail to notify individuals, report to the commissioner, or keep the necessary records.
In these cases of deliberate wrongdoing, an organization could face fines of up to $100,000 per offence. I want to ensure this point is very clear. It would be a separate offence for every single person and organization that is deliberately not notified of a potentially harmful data breach, and each offence would be subject to a maximum $100,000 fine.
These changes are widely supported by stakeholders, as evidenced by witness testimony during the committee's review of the bill. Professor Michael Geist stated:
These disclosure requirements are long overdue as I think it creates incentives for organizations to better protect their information and allows Canadians to take action to avoid risks such as identity theft. There are aspects in this bill that are an improvement over the prior bills, Bill C-12 and Bill C-29, most notably the inclusion of actual penalties that are essential to create the necessary incentive for compliance.
At committee, the Canadian Internet Policy and Public Interest Clinic stated:
We're very grateful to see a penalty regime for instances where the breach notification obligations are knowingly ignored...The fines currently in PIPEDA are designed as penalties for very overt offences.
The list continues. The Canadian Bankers Association stated:
We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.
The Canadian Life and Health Insurance Association Inc. was also supportive. It stated that the bill takes a balanced approach to the responsibilities placed on business and organizations, but most importantly, it will protect the consumer of those businesses, and gives individuals the information they need to take corrective action when it is necessary.
The digital privacy act does indeed take a balanced approach, one that avoids the over-reporting of harmless incidents while ensuring that the commissioner has the necessary tools to oversee whether organizations are meeting their obligations under Bill S-4.
This balanced approach would also ensure that punishment is reserved for the most egregious offenders, those who knowingly and deliberately try to circumvent the law. Those organizations caught making a mistake in good faith would instead work with the Privacy Commissioner under the existing dispute resolution tools in the act.
Our government recognizes that many organizations already notify individuals of data breaches in a responsible manner.
Let me be very clear. The penalties in the digital privacy act would target the bad apples, those organizations that willfully and knowingly disregard their obligations or, worse, cover up a breach.
The digital privacy act would encourage all organizations to play by the same rules. It would provide incentives to comply with the new data breach obligations, and also to implement appropriate data security practices to prevent breaches from happening in the first place.
By requiring organizations to keep records of their data breaches and by enforcing the requirements with stiff penalties, these amendments would increase the accountability of organizations to maintain good privacy practices and would provide the Privacy Commissioner with the tools he needs to enforce these protections.
I urge hon. members to join with me in supporting the bill.