House of Commons Hansard #222 of the 41st Parliament, 2nd Session. (The original version is on Parliament's site.) The word of the day was youth.

Topics

Digital Privacy ActGovernment Orders

4:20 p.m.

NDP

Pierre-Luc Dusseault NDP Sherbrooke, QC

Mr. Speaker, I thank my colleague for her speech.

I would like her to come back to why this bill is coming from the Senate. The question was asked earlier, but the government did not provide an answer.

Would the hon. member like to tell us why the government has decided, more than once, to have unelected senators introduce bills that in fact are government bills, and likely from the Minister of Industry?

Why did the Conservatives decide to send this bill to the Senate before elected members of the House could look at it? They could have simply introduced the bill here and let it follow the usual process, like most bills introduced by the government.

Digital Privacy ActGovernment Orders

4:20 p.m.

Conservative

Tilly O'Neill-Gordon Conservative Miramichi, NB

Mr. Speaker, I assure the House, and the member opposite must know as well, that this bill has to go through the two Houses regardless. Therefore, that is the path we chose. It will be well worth it to get it moving on, and well received by all Canadians because it is a very important change.

Digital Privacy ActGovernment Orders

4:20 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Mr. Speaker, the thing that bothers me about this whole process is that this bill was introduced in the Senate first, as the hon. member for Sherbrooke mentioned in his question, and then brought to the House.

We even adopted a motion to study the bill before second reading stage, which instilled confidence and was a sign of good faith. We thought we could amend this bill and make the necessary changes to ensure that it truly protects Canadians' personal information in the digital age.

However, the government kept saying we did not have enough time to amend the bill because it needed to be passed as quickly as possible.

I want to point out that this government introduced similar bills in the past and I myself introduced a bill on this topic that we could have passed and would already have become law. The Conservatives refused it all. They did nothing and now suddenly they are making this an urgent matter.

Why did they fail to do anything about this before it became an urgent matter?

Digital Privacy ActGovernment Orders

4:20 p.m.

Conservative

Tilly O'Neill-Gordon Conservative Miramichi, NB

Mr. Speaker, I assure the member opposite, and all members of the House, that our government is getting the job done, and that is why we are moving on.

Digital Privacy ActGovernment Orders

4:20 p.m.

Conservative

Rodney Weston Conservative Saint John, NB

Mr. Speaker, I am pleased to rise today to speak Bill S-4, the digital privacy act, which would significantly strengthen Canada's private sector privacy law.

In today's increasingly digital world, Canadians need to have confidence that their online transactions are secure and their privacy is protected. Unfortunately, data breaches, computer hacks, malware and other online threats are simply a reality of today's modern digital landscape. If Canadians do not trust that their private information is safe when it is in the hands of business, then they will not provide it. Without the free flow of information, our digital economy will stall. This is why strong, effective privacy laws that protect personal information are essential to building consumer trust and confidence. Canadian businesses need clear and balanced rules to follow so that their handling of personal information meets the expectations of Canadians.

The digital privacy act would provide important improvements to Canada's private sector privacy legislation, the Personal Information Protection and Electronic Documents Act, PIPEDA. Canadians want control over their personal information and our privacy laws give them exactly that. PIPEDA requires businesses to obtain a person's consent before collecting his or her personal information and ensures that this information is used only for the stated purposes. PIPEDA also gives Canadians control over which type of information is collected about them, how it is used and with whom it is shared. PIPEDA holds businesses accountable for the private information they hold, requiring them to keep it safe and out of the hands of hackers or thieves.

Further, the law gives Canadians the right to access their information at any time to make sure that it is accurate while also giving the Privacy Commissioner strong tools to enforce compliance. Privacy is a major concern for Canadians and they want to know that their personal information is secure. Businesses that can offer that security have a clear competitive advantage.

If I have a choice between a company that does not make protecting my personal information a priority versus one that tells me exactly what information it is collecting and how it is protecting it, I am going to choose the business that offers me the most protection. Businesses that are clear about what they are doing with personal information and have appropriate safeguards in place to protect that information will have an advantage in the marketplace.

Thankfully, limiting the collection, use and disclosure of personal information, having appropriate safeguards and being open about privacy practices are all part of the founding principles of PIPEDA. PIPEDA applies to all private sector organizations operating in Canada. It came into force on January 1, 2001, and its framework has stood the test of time. It is based on a set of 10 internationally recognized principles called the fair information principles. These principles give individuals control over their personal information and the way it is managed in the private sector. They establish strong privacy rights for Canadians and real obligations for companies.

By requiring businesses to protect personal information, PIPEDA is not only protecting the privacy rights of Canadians but is helping contribute to a vibrant Canadian economy. These founding fair information principles for PIPEDA mean that the act is flexible and scalable and allows data to move seamlessly across borders, all of which are good for Canadian businesses. PIPEDA is a flexible piece of legislation. It is technology neutral, which means that it evolves and will apply to new technologies in businesses as they emerge. It applies to all categories of businesses, not just one sector. It also lets companies find innovative new ways of protecting privacy because it is not overly prescriptive.

As I said, PIPEDA is also scalable. It applies to organizations of all sizes in Canada. Whether a small business or a large multinational corporation is doing business in Canada, it is governed by PIPEDA. Having a foundation based on these internationally recognized principles, being flexible and scalable, all contribute to PIPEDA reducing unnecessary red tape for businesses while also maintaining and protecting the privacy rights of Canadians. This puts Canada at a strategic advantage globally.

PIPEDA's balance between these two approaches allows Canadian businesses to be competitive in different markets around the world. By not being overly burdensome, PIPEDA allows Canadian businesses to adapt to new technologies as they emerge, thus allowing them the opportunity to compete with international markets and increase their revenues. At the same time, because PIPEDA is not overly lenient, Canadians can feel secure that their personal information will be protected in their dealings with businesses in Canada. It is clear that privacy is important for businesses and our economy.

Clearly, PIPEDA supports business activities, while protecting the personal information of consumers. Bill S-4 takes Canada's privacy protection a step further and clarifies rules for businesses.

Our government recognizes that companies need to have access to and use personal information to conduct business activities. That is why Bill S-4 provides a clear set of guidelines for businesses when it comes to the collection, use and disclosure of the personal information of Canadians in the course of commercial activities. These activities can include undertaking a merger or acquisition, processing an insurance claim or simply share an employee's email address and fax number with another company.

Bill S-4 would maintain PIPEDA's balanced approach and would provide important clarifications for businesses to conduct themselves with confidence, while at the same time offering consumers the assurances they need that their information is being protected.

The digital privacy act would also provide for oversight and accountability to ensure that when safeguards failed, individuals would told about it and could take the appropriate measures to protect themselves.

The balanced approach found in PIPEDA and continued in Bill S-4 is an important element in establishing a growing trust and confidence in today's digital economy. Once again, it is that consumer trust and confidence that will help businesses and the economy to flourish. It is that trust and confidence that will help us to continue to build a digital Canada.

Thanks to PIPEDA and the improvements proposed in Bill S-4, Canadians can be confident that their privacy is being protected when they provide their personal information to businesses.

The digital privacy act proposes common sense changes that will reduce red tape for businesses, while also maintaining and protecting the privacy of Canadians. A clear set of rules for privacy protection allows businesses to focus on providing exceptional service to their clients, while simultaneously offering them an advantage in today's increasingly competitive worldwide marketplace.

I want to take this opportunity to urge all hon. members to join me in supporting the bill.

Digital Privacy ActGovernment Orders

4:30 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Mr. Speaker, this bill establishes a mechanism to be used by organizations to report data breaches, data thefts, and so forth, which is very important. I called for such a mechanism in the House and proposed one in my Bill C-475.

However, the model proposed by the government in this bill is extremely subjective. The organization itself determines whether or not the data breach is serious and whether or not to notify the people concerned. Some data breaches may not be reported to the commissioner or the individuals in question. The individuals would not have the opportunity to take the necessary steps to properly protect themselves.

Instead of implementing a subjective measure, why not implement an objective measure that would put more power in the hands of the individuals whose identity or personal information has been stolen or breached?

Digital Privacy ActGovernment Orders

4:30 p.m.

Conservative

Rodney Weston Conservative Saint John, NB

Mr. Speaker, the member talked about the bill she brought before the House. However, I think we all have to agree that Canada does not need a heavy-handed approach that would add red tape for businesses and increased cost. We are all about increasing business in our country, driving our economy, and trying to create jobs and seeing Canadians work.

The Privacy Commissioner also agrees with us. He said:

—we believe it would be counterproductive to require organizations to notify individuals of all breaches. Similarly, we do not think it would be practical or efficient to require organizations to notify our Office of all breaches.

The Privacy Commissioner understands that the heavy-handed approach that the member opposite talks about in requiring more red tape for our businesses does not drive our economy. It is not beneficial to Canadians as a whole, and that is why we could not support that approach.

Digital Privacy ActGovernment Orders

4:30 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Mr. Speaker, I simply want to respond to the hon. member's answer. My proposal ensured that the Privacy Commissioner was the one who determined whether the data breach was significant enough to report. What the Conservatives are proposing will put the burden on companies because, regardless of how big they are, this law applies to them. There are larger companies that have departments responsible for ensuring that people's privacy is respected and our country's laws are complied with. However, it is more difficult for small companies to determine whether that is the case. Some have no idea what to do, not because they do not want to co-operate, but because they simply do not have the people to do it. Why not help them out a little by giving them access to the Privacy Commissioner's resources and expertise?

I would like to reiterate that the Conservatives' bill provides far less help to small and medium-sized businesses.

Digital Privacy ActGovernment Orders

4:30 p.m.

Conservative

Rodney Weston Conservative Saint John, NB

Mr. Speaker, Bill S-4 would better protect the privacy of Canadians by requiring organizations to inform Canadians when their personal information had been lost or stolen. Organizations would also be required to keep all records of data breaches and report significant breaches to the Privacy Commissioner of Canada. Organizations that deliberately covered up a data breach or intentionally fail to notify individuals and report to the commissioner could face up to $100,000 for every individual they have failed to inform.

The law being put into place would protect Canadians. It would force businesses to be expedient when they were dealing with the personal information of Canadians. I trust that businesses in our country will take this very seriously when they look at the penalties that are in place for any breach of privacy that might occur.

By keeping these records, if a complaint is laid, the Privacy Commissioner can go to the records at any time and if the breach has not been recorded or if there is any further breach, the maximum penalty can be applied.

Digital Privacy ActGovernment Orders

4:30 p.m.

NDP

The Deputy Speaker NDP Joe Comartin

It is my duty, pursuant to Standing Order 38, to inform the House that the questions to be raised tonight at the time of adjournment are as follows: the hon. member for Charlesbourg—Haute-Saint-Charles, Official Languages; the hon. member for Windsor West, Tourism Industry.

Digital Privacy ActGovernment Orders

4:35 p.m.

NDP

Craig Scott NDP Toronto—Danforth, ON

Mr. Speaker, it is my pleasure to speak to Bill S-4, and I would like to do so by addressing three themes. The first will be how Bill S-4 reflects rather badly on our democratic process. The second theme will be that Bill S-4 is already hopelessly out of date. It is behind the technological times. The third theme is that there are worrisome features in Bill S-4 to the extent that it would inadequately protect privacy, even within the limits of what it is trying to do.

On that first theme of democracy, we should recall that a lot of what has subsequently come through the House in a series of different bills started with Bill C-30, which I always called the Internet surveillance bill. It got so panned by experts and civil society that the government tried to take it off of the table in the House by sending it to committee for study before second reading. It then disappeared, because the government knew that too much in there had attracted too much early attention from Canadians.

I mention that, because parts of it have begun to reappear in bits and pieces since Bill C-30 disappeared.

Bill S-4 uses one of the same techniques as Bill C-30 to try to take it away from public scrutiny. It is ironic that the method it would use is one that was recommended by the McGrath committee in 1982 or 1984, which is to make better use of committees by having them look at bills before the principle of the bill has been fixed, by having the government send the bill to committee before second reading. That is between first and second reading. It would allow committees to effectively look at the bill as a strong draft from the government, but for MPs, presumably from all parties, to try to improve and perfect the bill without being hamstrung in the way we are now in our committee study of bills by the principle having been fixed, as it gets fixed when we go to second reading for a bill in principle.

Bill S-4 did get sent to committee and, surprise, surprise, with the way that the government has operated since I have been here and since it got a majority in 2011, there were no amendments. The government rejected every amendment and presented no amendments itself. It was as if it had not heard anything that had convinced it of anything, despite all of the witnesses who had appeared and who, in very measured tones and with a very focused analysis, had indicated that there were ways, even within the limited confines of what the government was trying to do in the bill, that the bill could be improved. However, the government, through its MPs on that committee, decided that the bill was fine as-is.

Look at House of Commons Procedure and Practice, second edition, on page 742. It tells us what this procedure was intended to be when the McGrath report came down in 1982 or 1984. It was intended to be an empowering mechanism for the House in relation to government legislation. It was meant to create more of a partnership between MPs and the government. It says:

This empowers Members to examine the principle of a bill before second reading, and enables them to propose amendments to alter its scope.

In the end, this was a subterfuge. Who here is going to doubt that the reason it was sent to committee between first and second reading was to get it off of the agenda in the House, which can tend to lead to a bill receiving more public attention and producing the kind of civil society push back that we have seen meet the government's bills on and on for the last little while? It was a mechanism to reduce its visibility and to have it reappear just about now, with two weeks to go, when there is no steam, no energy, nothing left for civil society to get its mind around in terms of general resistance.

My colleagues have mentioned a problem with this bill, as with other bills that start in the Senate, which is a structural problem that will hopefully be dealt with after the next election by having the Senate put in its proper place. There is also something here, which is that there has been no acknowledgement by the government that this bill probably does conflict with the Spencer decision of 2014 in the Supreme Court of Canada.

This decision recognized the nature of the privacy interests in Internet users' data, including all the metadata that identifies various features of their existence on the Internet, and indicated that in a police context, warrants are needed in order to get access to that information.

PIPEDA, as amended by Bill S-4, would now allow private sector organizations, using the guise of fraud investigations, contractual breach investigations, et cetera, to request of any other private actor all that same information, and nothing is put in here by way of safeguards. It is as if the Spencer decision never came down.

We have had no opinion tabled anywhere from the Department of Justice, through the Minister of Justice, to say that under section 4.1 of the Department of Justice Act, the minister has assessed that Bill S-4 complies with the charter, even after the Spencer judgment. That is because the government never tables opinions and never takes charter arguments seriously.

The record is clear. Last year alone, something like a dozen judgments came from the courts, and 10 out of the 12 found that the government's legislation breached the charter or other principles of law.

The bottom line is that this bill is not a good story for democracy, but that again, I am sorry to say, is not a new story.

The second theme is that the bill has missed the boat.

This all started in 2007. That was when the PIPEDA review was mandatory under the statute, and very quickly a couple of different bills began to appear in the House. They just never got through the minority Parliament at all. Nothing really changed along the way. The government is still stuck back in whatever its thinking was around 2007.

Let me quote from the Library of Parliament's background paper on Canada's federal privacy laws. It says:

As advances in technology increase the ease with which information about individuals can be gathered, stored and searched, the need to protect the privacy of such information presents a rapidly evolving challenge for legislators.

That challenge has not been met. It is as if the government does not know how much of an information economy we have rapidly, almost exponentially, year by year, evolved into being.

How about these basic facts?

The world's largest taxi company right now has no cars. It is the largest taxi company because it has information. That is Uber.

The world's largest accommodations company, Airbnb, owns no property, but it is the richest and largest company by virtue of how it owns information.

The world's largest retailer has absolutely no inventory. That is Alibaba, in China.

This is the world we live in now, and there is nothing in the PIPEDA amendments, in Bill S-4, to indicate the government is at all aware of what it means to be living in this economy.

We should think about the so-called Internet of Things. According to recent research, by 2020, 26 billion devices will be connected to the Internet. That is roughly an average of something like three or four per person on earth. There is no evidence that this bill even comes close to understanding the privacy issues that arise from the fact that we are increasingly living in a connected world in which our phones will be reporting on our heart rates, our fridges will report on our eating habits and even order our groceries, self-driving cars will be out there on the roads, and thermostats and smart meters will monitor our every movement. There is nothing in the bill in that regard. All I would say is that amendments that are 10 years out of date are not exactly something to write home about.

The third theme is the inadequacies and the problems in the bill.

Let me just list them. They have been mentioned before.

First, the way in which the bill deals with giving consent on the web is inadequate after the Spencer case.

Second, the loophole that allows for private organizations to pass on information without any kind of safeguard system analogous to a warrant system, on the simple basis that they are investigating breaches of agreement or fraud or financial abuse, is a recipe for incursions into privacy.

Third, I would end by saying that the reportability standard whereby, if there is a breach of data, a company or holder of the data must tell the person whose data has been lost on the basis of a real risk of significant harm is a subjective standard that is assessed by the company. There is no real system to ensure that it does not become a mechanism for breaches to be hidden from public view and hidden, therefore, from accountability.

Digital Privacy ActGovernment Orders

4:45 p.m.

Okanagan—Coquihalla B.C.

Conservative

Dan Albas ConservativeParliamentary Secretary to the President of the Treasury Board

Mr. Speaker, I want to thank my colleague across the way. I always find him to be a very learned member who always brings to the debate a level of intelligence and levelheadedness.

He mentioned the Senate in his speech. He said that after the election, he has a plan to solve the Senate. I would like him to extrapolate what he means by that and explain his rationale or how he is seeking to solve it. I would like to hear a little more about that.

Digital Privacy ActGovernment Orders

4:45 p.m.

NDP

Craig Scott NDP Toronto—Danforth, ON

Mr. Speaker, I am sure my colleague would, but I think we will keep the topic on Bill S-4 today.

Digital Privacy ActGovernment Orders

4:45 p.m.

An hon. member

You raised it.

Digital Privacy ActGovernment Orders

4:45 p.m.

NDP

Craig Scott NDP Toronto—Danforth, ON

I did raise it. You are correct.

Mr. Speaker, there are a whole range of measures that we would ask the Senate to consider to put itself in the proper relationship of complementarity to the House of Commons for so long as it exists. I will be releasing those measures at some point, but not at the moment. Meanwhile, we will do everything we can to convince Canadians and the other partners in Confederation that the Senate has seen its final days.

Digital Privacy ActGovernment Orders

4:45 p.m.

Liberal

Kevin Lamoureux Liberal Winnipeg North, MB

Mr. Speaker, my colleague wonders whether the NDP might be looking at changing its position on the Senate, but that is not why I stood up.

My question is in regard to privacy-related issues. Privacy continues to be a major issue in the minds of Canadians, and justifiably so. With the growth of technology, growth in participation in the Internet, and growth in the concerns related to privacy, whether in relation to government or in relation to private sector companies, we want to make sure that this information is being guarded. We want to make sure that the government can provide leadership in the form of legislation and that the potential for fines will in fact be realized.

The member referred to the government's lack of enthusiasm in dealing with this concern. Does he believe that the government has failed in terms of understanding the need for robust legislation that would protect the interests of consumers and has lost the opportunity to do so, as Canadians will likely want to see change toward the end of the year?

Digital Privacy ActGovernment Orders

4:45 p.m.

NDP

Craig Scott NDP Toronto—Danforth, ON

Mr. Speaker, the short answer—and I think I spoke to it in my speech—is yes, the government has generally lost the plot.

Privacy is more rhetorical from that side of the House, at least from the government ranks. I am not saying that is the case for all members of Parliament, but I do not think the Conservatives have any sense at all of where privacy absolutely needs to be taken seriously versus when it is used as a shibboleth for other kinds of agendas, as my colleague from Trinity—Spadina pointed out very well in his speech by noting that when privacy suddenly rears its head on such things as the long form census and the long gun registry, it does not quite rear the same head when it comes to privacy in the Internet context.

Digital Privacy ActGovernment Orders

4:45 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Mr. Speaker, I congratulate my colleague on his speech.

I would also like to talk about the process this bill would establish. The government could have taken this opportunity to fix the flaws in the Personal Information Protection and Electronic Documents Act, in order to ensure that Internet service providers and government agencies could no longer voluntarily share information without a warrant. There were at least 1.2 million requests in a single year. We have no details about why or about the circumstances surrounding these requests. The one thing we do know is that there was no warrant.

Could my colleague talk more about this missed opportunity?

Digital Privacy ActGovernment Orders

4:50 p.m.

NDP

Craig Scott NDP Toronto—Danforth, ON

Mr. Speaker, I thank my colleague for the question and for all her work, without which I would not be even half as informed about this bill as I believe I am.

The issue is ultimately that the government is not at all interested in having Canadians know the extent of something even so comparatively innocuous as the government asking for voluntary disclosure of information from private companies. The minimum, for example, that certain witnesses asked for is just to have statistics that the Privacy Commissioner and everybody else could be looking at, so that people would have a sense of the scope of the phenomenon. Nothing like that is even in the bill, let alone a regime that would actually regulate the phenomenon.

The bottom line is that the more Canadians know about the scope of government access to private information, the more concerned they become. The government is quite far behind on this issue. I think the Conservatives have a tin ear when it comes to where Canadians are on privacy issues.

Digital Privacy ActGovernment Orders

4:50 p.m.

Conservative

Jay Aspin Conservative Nipissing—Timiskaming, ON

Mr. Speaker, I am pleased to rise to speak to Bill S-4, the digital privacy act, which has been referred back to the House by the Standing Committee on Industry, Science and Technology.

Last year, our government launched digital Canada 150, an ambitious plan for Canadians to take full advantage of the opportunities of the digital age. It is a broad-based, ambitious plan to take full advantage of the digital economy as we celebrate our 150th anniversary in 2017. It is the next step to build our nation and connect Canadians to each other.

As the digital economy grows, individual Canadians must have confidence that their personal information is being protected. That is why, under digital Canada 150, one of the five pillars is known as “protecting Canadians”. The digital privacy act would provide important and long-awaited updates to our private sector privacy law, the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA.

PIPEDA provides a legal framework for how personal information must be handled in the context of commercial activities, while also setting guidelines for the collection, use, and disclosure of personal information. These rules are based on a set of principles developed jointly by government, industry groups, and consumer representatives.

The digital privacy act would strengthen marketplace rules set out by PIPEDA in important ways. In addition to protecting and empowering consumers, amendments would clarify rules for businesses and reduce red tape. These guidelines would also ensure that vital information is available to Canadian businesses, so they have the necessary tools to thrive in the global digital economy.

Balancing the individual expectations for privacy and the needs of businesses to access and use personal information in their day-to-day operations is important, and Bill S-4 gets it right. It would ensure individuals that, no matter the transaction, their personal information would continue to be protected under Canadian law.

The need to update rules for online privacy continues to grow. Breaches of personal information held by retail giants like Target and Home Depot, where the credit card information of millions of Canadians was stolen, underscore the need to strengthen PIPEDA with mandatory breach requirements.

The bill before us would do exactly this by establishing new requirements for organizations to inform Canadians when their personal information has been lost or stolen and there is a risk of harm. The privacy commissioner must also be notified. An organization that deliberately covers up a data breach, or intentionally fails to notify individuals and report to the commissioner, could face significant fines as a result.

Let me now take a minute and point out some of the ways in which the bill before us would create an effective and streamlined regime for reporting data breaches. The digital privacy act would establish a clear and straightforward test that businesses must apply to determine whether or not they are required to report a breach. If a business determines that a data breach creates a significant risk of harm to a customer or client, then it must report this information both to the individual affected and to the privacy commissioner. If the organization determines that a data breach does not pose a risk of significant harm—that is, their data security safeguards were compromised but they avoided a situation where their customers are exposed to threats like identity theft, fraud, or humiliation—then that organization must keep a record of the breach.

The requirement to maintain these records, even if the breach is determined not to be serious at the time, would serve two purposes. First and most important, it would require companies to keep track of when their data security safeguards fail, so that they can determine whether or not they have a systemic problem that needs to be corrected. An initial breach may not be serious because the information lost is not particularly sensitive. The next time, however, the company and the individuals affected may not be so lucky. Keeping track of all breaches would help companies identify potential problems before individual privacy is seriously harmed.

Second, these records provide a mechanism for the privacy commissioner to hold organizations accountable for their obligations to report serious data breaches.

At any time, the privacy commissioner might request companies to provide these records, which would allow him to make sure organizations are following the rules. If companies chose to deliberately ignore these rules, the consequences, as set out under the digital privacy act, would be serious.

Bill S-4 would make it an offence to deliberately cover up data breaches or intentionally fail to notify individuals and report to the commissioner. In these cases, organizations could face fines of up to $100,000 for every individual whom they fail to notify. These penalties represent just one way in which the digital privacy act would safeguard the personal information of Canadians.

The Privacy Commissioner of Canada strongly supports the proposed data breach rules in Bill S-4. He told the standing committee that:

...I am greatly encouraged by the government's show of commitment to update the Personal Information Protection and Electronic Documents Act, and I generally welcome the amendments proposed in this bill.

Proposals such as breach notification, voluntary compliance agreements and enhanced consent would go a long way to strengthening the framework that protects the privacy of Canadians....

Similarly, the Canadian Bankers Association voiced its support for these amendments, telling the committee:

The banking industry supports the requirements in the digital privacy act for organizations to notify individuals about a breach of their personal information where there is a risk of significant harm.... We also support the commissioner's new oversight powers to ensure that organizations comply with these new provisions.

I think it is clear that Bill S-4 would deliver a balanced approach to protecting the personal information of Canadians, while still allowing for information to be available in a growing, innovative digital economy.

Mr. Karl Littler, vice-president, public affairs, Retail Council of Canada, summed it up best, when he told the standing committee:

Generally speaking, Bill S-4 strikes the right balance between action to protect digital privacy on digital fraud and financial abuse, while recognizing the strengths of PIPEDA and its forward-thinking technologically neutral approach.

I think we have it right with the digital privacy act. Both business and consumers have been empowered in the digital age, but if Canada is to remain a leading digital nation, Canadians need to have confidence that their online transactions are safe and their privacy is secure.

Bill S-4, the digital privacy act, would strengthen the rules protecting the personal information that is essential to the conduct of business in virtually all sectors of the economy. The digital privacy act would go a long way to improving the protection of privacy for Canadians.

I urge hon. colleagues to join me in supporting this bill.

Digital Privacy ActGovernment Orders

4:55 p.m.

Liberal

Kevin Lamoureux Liberal Winnipeg North, MB

Mr. Speaker, I would like to pose the same question I asked another colleague of the member, and that is in regard to the timing of the legislation itself and the government's unwillingness to recognize the need to allow for amendments of its own legislation, which could ultimately provide greater strength and improve the legislation itself.

No doubt the member recognizes, as I am sure all members of the House would, the concern Canadians as a whole have in regard to privacy-related issues. It is somewhat surprising that the government has been unable to really bring in robust legislation that would, in fact, provide assurances to Canadians that the government really understands the issue.

At the last minute, months away from an election, with only a few weeks to go, now we seem to see the government in a hurry-up mode or attitude, in terms of, well, this is the best we can get.

Does the member recognize that the government has actually fallen short in addressing the very important issues that Canadians have, related to protecting their privacy, especially given the growth of the Internet and other technologies and the amount of information available on the Net today?

Digital Privacy ActGovernment Orders

5 p.m.

Conservative

Jay Aspin Conservative Nipissing—Timiskaming, ON

Mr. Speaker, clearly, the time to act is now.

These ideas have been around for a long time. We have debated them for quite a period of time. What Canadians are looking for is action. This is not a perfect bill by any means, but we do not let the perfect be the enemy of the good.

Chantal Bernier, former interim privacy commissioner, says, “I welcome proposals” in this bill. The bill contains “very positive developments for the privacy rights of Canadians...”. “I am pleased that the government has” addressed such issues as breach notifications.

The current Privacy Commissioner, Daniel Therrien says:

...I am greatly encouraged by the government's show of commitment to update...[PIPEDA], and I...welcome the amendments proposed in this bill.

I submit that it is time to act, and that is precisely what our government is prepared to do.

Digital Privacy ActGovernment Orders

5 p.m.

NDP

Rosane Doré Lefebvre NDP Alfred-Pellan, QC

Mr. Speaker, I thank my colleague from Nipissing—Timiskaming for his speech on Bill S-4.

I worked on Bill C-51, which thousands of Canadians opposed. They were worried that the bill would invade their privacy and violate their rights and freedoms. In the answer he just gave, my colleague said that this bill was not necessarily perfect but that we need to take action. I have a question for him.

Bill S-4, and also Bill C-13, would allow greater access to personal information without a warrant and without provisions for a proper oversight mechanism. This is reminiscent of the extremely distressing Bill C-51, which we studied not too long ago.

Why is the government working so hard to allow snooping without a warrant by creating bigger holes with Bill C-13 and Bill S-4?

Digital Privacy ActGovernment Orders

5 p.m.

Conservative

Jay Aspin Conservative Nipissing—Timiskaming, ON

Mr. Speaker, as I indicated, I believe that this bill strikes the right balance. I believe the time to act is now.

We certainly have ample support from across Canada: the Canadian Chamber of Commerce, the Canadian Bankers Association, Credit Union Central of Canada, the Insurance Bureau of Canada, the Retail Council of Canada, the Canadian Marketing Association, the Canadian Pharmacists Association, and the Canadian Life and Health Insurance Association. All of these groups show a good, broad, strong base of support for this legislation, and I submit that the time to act is now.

Digital Privacy ActGovernment Orders

5 p.m.

Okanagan—Coquihalla B.C.

Conservative

Dan Albas ConservativeParliamentary Secretary to the President of the Treasury Board

Mr. Speaker, I am very happy to be in this place and to rise on behalf of the people of Okanagan—Coquihalla. I am also pleased to express my support for Bill S-4, the digital privacy act.

Bill S-4 provides a number of important updates to the Personal Information Protection and Electronic Documents Act. In my view, these updates are long overdue and will better protect Canadians, in particular consumers, seniors, and children, who could be more vulnerable to sharing personal information online.

I believe that most parents would agree that today's kids' use of the Internet and related digital technologies is unprecedented in our history. Today, children have access to everything online, from information for school projects to gaming, music, movies, and much more.

A wide variety of devices are used to engage in activities such as socializing or gaming with friends, and of course, sharing photos and videos on social media sites that can be viewed by people all over the world. A young teenager may have a picture or a self-made video viewed by tens of thousands of people. While that may be an exhilarating experience, I would also say that it could potentially be a dangerous one.

As we know, a survey conducted in 2013 found that 30% of grade 4 to grade 6 students had Facebook accounts. By grade 11, that increases to 95% of all students, and that is just Facebook. What about Twitter or Instagram or Snapchat?

Businesses are not naive to these trends. Online services can generate massive amounts of revenue. The action of collecting and analyzing personal information for marketing purposes is huge and increasingly valuable. This includes personal information taken from websites, apps, and search engines aimed at kids.

Do kids have any idea that their information is being gathered? Do parents? Is there a clear understanding of what happens to that information that is required to register and download or play a free online game?

Our government recognizes that the digital world offers benefits to children. We are also aware that the online community is often a reality in our day-to-day lives.

The skills kids develop by participating and navigating in online activities can create a significant advantage as they grow up and transition into the job market. Indeed, many high-school-aged kids today have as much, or more, online literacy than a technician would have had a decade ago. However, with growing participation in the online world come increased threats to privacy.

PIPEDA currently contains provisions that protect the personal information of children. As an example, businesses cannot obtain consent in a deceptive or misleading manner. The act also prevents companies from denying access to services on the basis of a refusal to share personal information.

The digital privacy act proposes an amendment to increase protection by creating new safeguards related to the collection, use, and disclosure of personal information. The bill would require that an organization ensure that users, as a group, were able to understand what happens to the information that is collected about them.

I would like to provide this place with a few examples of how the proposed amendment would work.

One example could be an educational website designed to help elementary school kids develop math skills. Under the proposed amendment, requests by that particular website to collect, use, or disclose personal information would need to be understandable by the average elementary school student. This would ensure that these requests used words and language that was appropriate for the website's target audience. Under the digital privacy act, it would not be reasonable to simply expect average elementary kids to understand what clicking the “I agree” box actually meant. If there was no clear understanding as to why the information was being collected, the company would not have valid consent.

As another example, in the case of a mobile app that allowed teenagers to create music recordings, that app would need to obtain the consent of these teens in a manner that would be different if the app were targeting adult users.

I am also aware that during the committee hearings on Bill S-4 , a number of witnesses shared their views on the proposed consent measures.

The Privacy Commissioner of Canada, when expressing his support for this amendment, stated the following:

it is a useful clarification of what consent is, and it has the potential of improving the situation for the issue of consent sought from children.... So, when the individual is a child, if your product is addressed to children, you should think about what is reasonable to expect of a child in understanding the consent being sought. Overall, I think, again, the definition of consent in Bill S-4 will assist generally and will assist particularly groups that are more vulnerable, like children.

The committee also heard from other expert witnesses who offered their support for the consent amendment. For example, the Retail Council of Canada stated its wholehearted support for this proposed amendment on valid consent, emphasizing in particular that, “a vulnerable population such as children should be protected”.

In addition, the Marketing Research and Intelligence Association, which represents the Canadian survey research industry, also wrote to the committee to share its views on Bill S-4. In its submission, it stated that the amendment “provides added clarity for organizations when they seek the valid consent of an individual when collecting, sharing and disclosing their personal information” and “that specifying the elements of valid consent will go a long way to protecting the most vulnerable Canadians, such as seniors and children”.

These are positive endorsements, and I believe they speak to the idea that children need and require extra protection when it comes to their online activities and the protection of their privacy.

In early May of this year, an international network of privacy commissioners, called the Global Privacy Enforcement Network, or GPEN, conducted a worldwide spot check on children's privacy protection. This privacy sweep, as it was called, looked at whether apps and websites worldwide inappropriately gathered information on children.

For some background, GPEN began conducting worldwide privacy sweeps in 2013. The first sweep focused on website privacy notices, and then in 2014, it focused on mobile apps. These sweeps have involved the active participation of Canada's own Privacy Commissioner. They have highlighted areas where privacy practices are lacking. Each time the sweeps have successfully resulted in concrete positive changes to a large number of apps and websites.

This year GPEN also looked at the types of information being collected from children and whether protective controls exist to limit that collection. This year's sweep also looked at whether these sites and applications take steps to make privacy policies understandable to kids, using things like simple language, large print, audio and animation, and whether parental involvement is encouraged.

The Privacy Commissioner of Canada had this to say about the children's privacy sweep:

Children are more connected than ever before and these platforms must bear that in mind when seeking potentially sensitive data such as name, location or email address. This is about protecting children. I can’t think of anything more important than that.

I agree with the Privacy Commissioner.

This year's sweep was a privacy spot check that included 29 data protection authorities from 20 countries, including the Privacy Commissioner of Canada. I believe that many members of this House will look forward to the results of this groundbreaking privacy sweep when it is released in the fall. I expect the results will be of assistance to the Privacy Commissioner and the private sector in determining where changes need to be made to comply with the new enhanced consent requirements under the digital privacy act.

Earlier this year, our Privacy Commissioner also published a top 10 list for protecting children's privacy for organizations with services aimed at children and young people. These tips offered by the Privacy Commissioner emphasize that when it comes to children, the privacy protection bar needs to be set extremely high. I submit that this is why the Privacy Commissioner of Canada has publicly recognized that the amendment would enhance the concept of consent.

We have heard from the Privacy Commissioner and from privacy commissioners that this is an emerging field. I believe that the amendments made to PIPEDA will help protect our children and other vulnerable populations, like seniors. I would humbly ask all members in this place to give these provisions their due review and support.