House of Commons Hansard #233 of the 41st Parliament, 2nd Session. (The original version is on Parliament's site.) The word of the day was s-4.

Topics

Question No. 1323Questions Passed as Orders for ReturnsRoutine Proceedings

4:55 p.m.

Liberal

John McKay Liberal Scarborough—Guildwood, ON

With regard to lapsed spending by Environment Canada, Parks Canada and the Canadian Environmental Assessment Agency: (a) how much has each department and agency lapsed in each of fiscal years 2006-2007 to 2014-2015 inclusive, broken down on a program-by-program basis; and (b) what are the answers to (a), provided in digital .csv format?

(Return tabled)

Questions Passed as Orders for ReturnsRoutine Proceedings

4:55 p.m.

Conservative

Tom Lukiwski Conservative Regina—Lumsden—Lake Centre, SK

Mr. Speaker, I ask that the remaining questions be allowed to stand.

Questions Passed as Orders for ReturnsRoutine Proceedings

4:55 p.m.

Conservative

The Acting Speaker Conservative Barry Devolin

Is that agreed?

Questions Passed as Orders for ReturnsRoutine Proceedings

4:55 p.m.

Some hon. members

Agreed.

Motions for PapersRoutine Proceedings

4:55 p.m.

Regina—Lumsden—Lake Centre Saskatchewan

Conservative

Tom Lukiwski ConservativeParliamentary Secretary to the Leader of the Government in the House of Commons

Mr. Speaker, I ask that all notices of motions for the production of papers be allowed to stand

Motions for PapersRoutine Proceedings

4:55 p.m.

Conservative

The Acting Speaker Conservative Barry Devolin

Is that agreed?

Motions for PapersRoutine Proceedings

4:55 p.m.

Some hon. members

Agreed.

Motions for PapersRoutine Proceedings

4:55 p.m.

Conservative

The Acting Speaker Conservative Barry Devolin

It is my duty pursuant to Standing Order 38 to inform the House that the questions to be raised tonight at the time of adjournment are as follows: the hon. member for Churchill, Aboriginal Affairs; the hon. member for Surrey North, Public Safety; the hon. member for Québec, Consumer Protection.

I also wish to inform the House that because of the deferred recorded divisions, government orders will be extended by 69 minutes today.

Digital Privacy ActGovernment Orders

4:55 p.m.

Conservative

Digital Privacy ActGovernment Orders

June 17th, 2015 / 4:55 p.m.

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, I am pleased to rise in my place today to speak to Bill S-4, the digital privacy act.

Last year our government launched digital Canada 150, an ambitious plan for Canadians to take advantage of the opportunities of this digital age. It is a broad-based ambitious plan to take full advantage of the digital economy as we celebrate our 150th anniversary in 2017. It is the next step to build our nation and to connect Canadians to each other. As the digital economy grows, individual Canadians must have confidence that their personal information will be protected. That is why under digital Canada 150, one of the five pillars is known as “protecting Canadians”.

The digital privacy act would provide important and long awaited updates to our private sector privacy law, the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA. PIPEDA provides a legal framework for how personal information must be handled in the context of commercial activities while also setting guidelines for the collection, use and disclosure of personal information.

These rules are based on a set of principles developed jointly by government, industry groups and consumer representatives. The digital privacy act would strengthen marketplace rules set out by PIPEDA in important ways. In addition to protecting and empowering consumers, the amendments would clarify rules for businesses and reduce red tape.

These guidelines would ensure that vital information is available to Canadian businesses so that they have the necessary tools to thrive in a global economy. Balancing individual expectations for privacy and the need for businesses to access and use personal information in their day-to-day operations is important. Bill S-4 gets this right. It assures individuals that no matter the transaction, their personal information will continue to be protected under Canadian law.

The need to update the rules for online privacy continues to grow. Breaches of personal information held by retail giants like Target and Home Depot, where the credit card information of millions of Canadians was stolen, underscore the need to strengthen PIPEDA with mandatory breach requirements. The bill before us does exactly this by establishing new requirements for organizations to inform Canadians when their personal information has been lost or stolen and there is a risk of harm. The Privacy Commissioner will also be notified.

An organization that deliberately covers up a data breach or intentionally fails to notify individuals and report to the commissioner could face significant fines as a result.

Let me now take a minute to point out some of the ways in which the bill before us creates an effective streamlined regime for reporting data breaches. The digital privacy act establishes a clear and straightforward test that businesses must apply to determine whether or not they are required to report a breach.

If a business determines that the data breach creates a significant risk of harm to a customer or client, then it must report this information both to the individual affected and the Privacy Commissioner.

If the organization determines that the data breach does not pose a risk of significant harm, that is, its data security safeguards were compromised but it avoided a situation where the customers are exposed to a threat, like identity theft, fraud or humiliation, then that organization must keep a record of that breach.

The requirement to maintain these records, even if the breach is determined not to be serious at the time, serves two purposes. First and most important, it requires companies to keep track of when their data security safeguards failed, so that they can determine whether or not they have a systemic problem that needs to be corrected.

An initial breach may not be serious because the information lost is not particularly sensitive. The next time, however, the company and the individual affected may not be so lucky. Keeping track of these breaches will help companies identify potential problems before individual privacy is seriously harmed.

Second, these records provide a mechanism for the Privacy Commissioner to hold organizations accountable for their obligations to report serious data breaches. At any time, the Privacy Commissioner may request companies to provide these records which will allow the commissioner to make sure that organizations are following the rules.

If companies choose to deliberately ignore these rules, the consequences as set out under the digital privacy act are serious. Bill S-4 would make it an offence to deliberately cover up a data breach or intentionally fail to notify individuals and report it to the commissioner.

In these cases, organizations could face a fine of up to $100,000 for every individual they fail to notify. These penalties represent one way that the digital privacy act would safeguard the personal information of Canadians.

The Privacy Commissioner of Canada strongly supports the proposed data breach rules in Bill S-4. He told the standing committee:

I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill. Proposals such as the breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians....

Similarly, the Canadian Bankers Association voiced its support for these amendments, telling the committee:

The banking industry supports the requirements in the digital privacy act for organizations to notify individuals about a breach of their personal information where there is a risk of significant harm. We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

I have been discussing the data breach rules which are a very important element of the bill before us. I would like now to turn my attention to four ways that Bill S-4 would strengthen Canada's privacy rules.

First, the bill establishes strong consent requirements to protect vulnerable individuals online, particularly children. These enhanced consent provisions were introduced as a result of recommendations made by Parliament during the first statutory review of PIPEDA.

Under PIPEDA, organizations need to obtain an individual's consent to collect, use, or disclose their personal information. Under the bill before us, an individual's consent would not be considered valid unless the way the information will be used is clearly communicated in language appropriate to the target audience.

For example, some businesses operate online playgrounds or educational websites that target children and collect personal information of children that is used for marketing and other purposes. Bill S-4 requires that the language used to obtain consent must be such that a child could reasonably be expected to understand the nature, purpose and consequence of sharing his or her personal information. If the consent request is too complicated for the child to understand, the consent would not be valid.

Again, the Privacy Commissioner of Canada supports this amendment. He told the committee:

I think it would be useful to further clarify that consent is to be evaluated from the perspective of the person whose consent is invoked. Organizations would be asked to put themselves in the shoes of various clientele from whom they are collecting information so that consent is as meaningful as possible.

Second, Bill S-4 seeks to harmonize federal laws with provincial privacy protection laws when it comes to a sharing of personal information without consent in narrow, limited circumstances.

PIPEDA already provides for a number of circumstances where personal information can be shared without consent when it is clearly in the public interest to do so. The amendments in Bill S-4 would add to this by allowing information to be shared in order to protect seniors and other vulnerable individuals from financial abuse or neglect, communicate with the family of an injured or deceased individual, or identify a victim of an accident or a natural disaster.

In his testimony before the standing committee, Mr. Marc-André Pigeon, director of financial sector policy at Credit Union Central of Canada expressed his strong support for Bill S-4 and the financial abuse amendment. He said:

In general, we think Bill S-4 does a lot of things right. We are especially pleased with the provisions that would make it easier for credit unions to share personal information with the next of kin or authorized representatives when the credit union has reasonable grounds to suspect that the individual may be a victim of financial abuse.

The third way that Bill S-4 would strengthen PIPEDA would be through changes that would support day-to-day business operations. The digital privacy act would remove unnecessary red tape for businesses by allowing for the collection, use and disclosure of personal information without consent in the context of specific legitimate business activities. For example, Bill S-4 would allow information to be more readily available in order to conduct due diligence in the context of mergers and acquisitions.

Similarly, the digital privacy act would allow businesses to share any type of business contact information in order to carry out normal business activities. It is simply ridiculous that PIPEDA allows an employee to share an office phone or fax number, but not an email address. Bill S-4 would fix this problem, a solution supported by the Retail Council of Canada. It told the committee:

—we support the clarification on the exclusion of business contact information...This section 4 clarification will better equip businesses to conduct their ongoing operations.

Finally, the digital privacy act would make existing compliance tools stronger and more effective. PIPEDA is enforced by the Privacy Commissioner of Canada who can turn to the Federal Court when an organization is found to break the rules. Bill S-4 would also give Canadians the option of taking an organization to Federal Court to order an organization to change its practices or to seek damages.

While the digital privacy act would keep those options open, it would also provide an alternative to court action such as voluntary compliance agreements. Under a compliance agreement, organizations would voluntarily commit to take action to comply with the law to avoid costly legal action. The agreements would be legally binding and would allow the commissioner to hold organizations accountable to follow through on their commitments to private privacy protection.

Again, the Privacy Commissioner expressed his strong support for this tool when he appeared before the standing committee. He said that the compliance agreement amendment was “very necessary” and “helpful for us to implement and apply”.

Canadian organizations care about their reputation and they know that sound privacy practices will have a lasting impact on the legitimacy of their brand. They also know that the reverse is true, that if their customers find out about shoddy privacy practices, their businesses will suffer. This is why the digital privacy act would give the Privacy Commissioner broader powers to name and shame a non-compliant organization to encourage it to take corrective action.

If either of these measures fail to provide the right incentives for businesses to fix their privacy problems, Bill S-4 would give the Privacy Commissioner more time to take them to court. Under the current law, the commissioner only has 45 days after he finishes the investigation to take the organization to court.

The Privacy Commissioner told the standing committee that it was simply not enough time, given the high complexity of issues with which his office dealt. Quite often, the Privacy Commissioner will work with organizations for several months, if not a year, to ensure they follow through on their commitments to fix any problems he has identified. The problem, of course, is that organizations can simply delay taking action for a couple of weeks, knowing that after 45 days, the commissioner will no longer have the option to take them to court. Bill S-4 would fix this problem and would provide the commissioner with a year to take an organization to court for non-compliance.

I have just outlined the five major provisions in Bill S-4, which include: new data breach rules; clear requirements when obtaining consent from individuals, including from minors; changes to support other public interest objectives, like fighting financial abuse; reducing the red tape for day-to-day operations; and new compliance tools for the Privacy Commissioner of Canada.

It is clear that Bill S-4 would deliver a balanced approach to protect the personal information of Canadians, while still allowing the information to be available to the growing, innovative digital economy.

Karl Littler, vice-president of Public Affairs at the Retail Council of Canada, summed it up best when he told the standing committee:

Generally speaking, Bill S-4 strikes the right balance between action to protect digital privacy on digital fraud and financial abuse, while recognizing the strengths of PIPEDA and its forward-thinking technologically neutral approach.

We have it right with this digital privacy act. Both businesses and consumers have been empowered in this digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.

Bill S-4, the digital privacy act, would strengthen the rules protecting personal information, and that is essential to conduct business in virtually all sectors of the economy. The digital privacy act would go a long way to improving the protection of privacy for Canadians. I urge hon. members to join me in supporting this bill.

Digital Privacy ActGovernment Orders

5:10 p.m.

NDP

Ève Péclet NDP La Pointe-de-l'Île, QC

Mr. Speaker, I heard my colleague mention amendments. However, the Conservatives rejected one of our critical amendments that was supported by many witnesses. That is rather problematic. We wanted to work with the Conservatives, but as usual, they turned a deaf ear in committee and refused to work as a team.

Why did they once again refuse to accept our amendments, which would have corrected and improved the bill so that we could better protect Canadians? As it now stands, Bill S-4 is still quite flawed. For example, it leaves it up to the companies to enforce the regulations, which is unacceptable.

I would therefore like my colleague to explain why the Conservatives rejected our amendments.

Digital Privacy ActGovernment Orders

5:10 p.m.

Conservative

Joe Daniel Conservative Don Valley East, ON

Clearly, Mr. Speaker, when the committee looked at the amendments, they were not considered suitable or applicable at that stage. There is a lot of confidence in the companies that we are working with and that are working on these. The recommendations in this bill came from the companies, as well as all the industries, et cetera. Therefore, I do not think there was any need for those changes to be admitted in.

Digital Privacy ActGovernment Orders

5:15 p.m.

Liberal

Ted Hsu Liberal Kingston and the Islands, ON

Mr. Speaker, I would like to repeat the question of my hon. colleague on the opposition benches. I want to ensure that the government member really believes this is the best possible bill we could pass in the House of Commons, since we are at third reading debate.

Forty-two opposition amendments were passed over, I understand, with very little discussion, explanation or even defence of the rejection of those amendments. It is really a simple question, and perhaps my hon. colleague has already answered it. However, I would like him to say clearly whether he believes this is the best possible bill we could pass.

Digital Privacy ActGovernment Orders

5:15 p.m.

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, on any bill that comes through the House, the question can be asked whether it is the best bill. We believe this is the best bill we have for this time, for this place, for now, in protecting the privacy of Canadians who are working in this digital economy. We believe these things will strengthen PIPEDA and close the gaps. That is why we have submitted it.

Digital Privacy ActGovernment Orders

5:15 p.m.

Oshawa Ontario

Conservative

Colin Carrie ConservativeParliamentary Secretary to the Minister of the Environment

Mr. Speaker, I want to thank my colleague for his description of the balanced approach we have taken, in contradiction to the NDP's heavy-handed approach. I would like him to comment on how Bill S-4 would amend PIPEDA to reduce red tape for normal business activities.

Digital Privacy ActGovernment Orders

5:15 p.m.

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, our government understands the need for businesses to conduct normal, everyday activities, and not be inundated with red tape, while at the same time maintaining the privacy of Canadians.

The digital privacy act proposes common sense changes that recognize that companies need access to and the use of personal information to conduct legitimate business activities, for example, taking a merger and acquisition process, an insurance claim, or sharing an employee's email address and fax number with another company in those circumstances. These important fixes were introduced in response to unanimous recommendations made during the first parliamentary review.

The digital privacy act would reduce the unnecessary red tape for businesses, while also maintaining and protecting privacy rights for Canadians.

Digital Privacy ActGovernment Orders

5:15 p.m.

NDP

Rosane Doré Lefebvre NDP Alfred-Pellan, QC

Mr. Speaker, it is truly a pleasure for me to ask my colleague opposite a question on behalf of my constituents from Alfred-Pellan in Laval.

In the bills that the Conservatives introduce, the devil is often in the details. When examining the proposals set out in Bill S-4, I had some concerns that I would like to raise.

One of those concerns in particular reminds me of the nightmare of Bill C-51 and its lack of a proper oversight mechanism. Bill S-4 presents the same type of problem. It would allow greater access to personal information without a warrant and without provisions for an oversight mechanism.

In fact, I am wondering why the Conservative government is working so hard to allow snooping without a warrant and why it is creating bigger holes with bills such as Bill S-4.

Digital Privacy ActGovernment Orders

5:15 p.m.

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, while we look at what the question is about, we already have this information in the system. This is information that people have put online with businesses they are working with to ensure that information is used for legitimate businesses. There is no need for a warrant for those sorts of information unless some criminal activity is going on, in which case there would be a warrant. I do not think there is any relevance to that question, to be quite frank.

Digital Privacy ActGovernment Orders

5:15 p.m.

Liberal

Kevin Lamoureux Liberal Winnipeg North, MB

Mr. Speaker, when we look at the process of Bill S-4, is it any wonder that Canadians look at Ottawa and come to the determination that Parliament is broken? There is a need for real change, and the Liberal Party of Canada will be advocating for that.

Let us look at this bill. We have legislation before us that has some serious flaws. We had the opportunity in committee stage to make some changes with amendments. The majority government, over the years, has made the determination that it does not matter what kind of amendment it is if it comes from the opposition benches. It is an automatic default that amendments are bad unless they are Conservative amendments.

Will the member not recognize that this bill is faulty in the sense that the many amendments that were brought forward, whether from the Liberal Party or other opposition members, did have some merit to them? Would he not acknowledge that fact?

Digital Privacy ActGovernment Orders

5:20 p.m.

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, that was an interesting question.

Of course there is some merit in all of these things. This bill was specifically designed to fix some of the issues in PIPEDA. It would provide that oversight with the Privacy Commissioner. It would do everything that we need to do to fix the issues for now. Some of the changes that were proposed were not accepted for those various reasons. They were looked at and therefore rejected.

Digital Privacy ActGovernment Orders

5:20 p.m.

Scarborough Centre Ontario

Conservative

Roxanne James ConservativeParliamentary Secretary to the Minister of Public Safety and Emergency Preparedness

Mr. Speaker, I listen to the remarks of my hon. colleague from Don Valley East. He talked a bit about fighting financial abuse. He went on to say something related to making it easier to contact a family member or next of kin when financial abuse was suspected.

Could the member tell us who might fall victim to this type of financial abuse and why the legislation is so important in order to protect these people?

Digital Privacy ActGovernment Orders

5:20 p.m.

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, there are several categories of people who are vulnerable: children who are now doing a lot more work online than many adults, and seniors who are also online and are likely to be subject to financial fraud, et cetera. The bill would allow for somebody to identify that there was a potential fraud taking place and would allow communication with somebody responsible for those people to analyze and see if these could be fixed. The bill ensures we make that provision for those people.

Digital Privacy ActGovernment Orders

5:20 p.m.

NDP

Rosane Doré Lefebvre NDP Alfred-Pellan, QC

Mr. Speaker, I would like to ask my colleague across the way another question about Bill S-4.

According to some experts, many parts of Bill S-4 are unconstitutional. Why, then, will the government not simply take out the parts that are unconstitutional, especially in light of the Spencer ruling?

I would like my colleague to comment on that.

Digital Privacy ActGovernment Orders

5:20 p.m.

Conservative

Joe Daniel Conservative Don Valley East, ON

Mr. Speaker, as we reviewed the bill in committee, issues of unconstitutionality were never raised. Therefore, there does not seem to be a problem with it from that perspective. Bills go through the usual process of legal assessment before they are put forward, to understand whether that is the case. I do not think there is anything in there that is unconstitutional.