Mr. Speaker, today, I rise to give my input on Bill C-11, the digital charter implementation bill. I am happy to give this input. It is a timely bill for Canadians because this bill is about access to people's information and, more important, how that information is monetized by others. At a time when big corporations around the world are earning billions of dollars very quickly from information, getting in front of this issue right now for Canadians is very important.
What is being sold? Canadian information is being sold. What do Canadians privately own of their own data? This is the question that should be addressed in this bill. The converse of this, of course, is the targeted marketing and what Canadians get from the fact that they are giving away their information so they are getting back more services that might be tailor-made to them. It is one of those areas where the intent of Canadians not to give away their data and the result of that data that they willingly gave away, in many instances can be very contradictory. Let us tell Canadians first, as my colleague said here earlier, that they are the product.
Phones are listening to us. Computers are listening to us. Sometimes, computers are watching us. Sometimes, when my sons at home have Siri on, they say, “Siri, turn on”. Siri comes on and I tell them, “Siri was listening the whole time because it just turned on when you told it to turn on.” A lot of information is being culled. We do not know which of that is resting with us, and which of that is public information to be monetized by somebody else.
When I read this bill, I saw a bureaucratic solution designed by bureaucrats for use by bureaucrats, with what will be minor effect for the Canadian population in general. As much as we would like to make sure that we actually do deal with the issue around Canadians' private information that is provided online, we do need to make sure that it applies consistently across our country. It is a bubble created by a bureaucracy, and that bubble is lacking any consequences for mistakes and those mistakes will happen within the bureaucracies of the Government of Canada. In essence, from the Government of Canada's level, everything in this bill shows a complete lack of accountability for the government about how it might misplace or misuse Canadians' data.
I recall, years ago, the government's approach to what was the no-call list. There was a lot of telemarketing going on at the time and the government came out with a solution. If people registered their phone number it would ensure they did not receive telemarketing. We all jumped on that because on our land lines at the time we were getting a lot of telemarketing. When that registration came up, of course my land line was registered and it said to put in my cellphone number too. I put in my cellphone number, and the next day I started receiving telemarketing on my cellphone where I never had before. What apparently happened is the Canadian government's site had been hacked and all that information was sold to telemarketers. It is a shame because it got no money for it. My information was given away for free and a whole bunch of telemarketers got something from the Government of Canada that was literally stolen from Canadians. Therefore, my data was somebody else's, without my consent, as a result of my contribution to the Government of Canada.
Consumer pricing protection is something that would fall in the same type of realm. How do we make the Government of Canada accountable for what might happen with the data that we willingly give the Government of Canada? Will there be fines? Do we actually tell the Government of Canada that if it does not protect this information the Canadian government is going to fine the Canadian government and therefore the taxpayers are going to have to contribute to the government's fining itself? It is a bit of an around-the-world kind of trip, much like quantitative easing.
The problem is, who has this information about me? I do not know, but the party I am forced to disclose the most information to, that I know about, is the Government of Canada.
Let us discuss how stopping that government body in charge of the information I provide is mishandled. That would be the Canada Revenue Agency more than anybody else. It has my financial information, all kinds of dates and my social insurance number. Frankly, having dealt with it for years, it is a disaster of an organization. It has the wrong information. It processes information badly. It is the worst organization to try and fix bad information. That is the Canadian government.
Let us look at what happened in the last handful of months here with the CERB. Data was pilfered and Canadian payments during a pandemic were misdirected. How much of the $400 billion spent is legitimate and how much is as a result of data hacks that went to the wrong entities? Canadians are paying for these mistakes. Canadians are paying now and Canadians are going to continue paying for generations.
The legislation looks like it is designed for large organizations. Let us start with banks. Banks are another organization that we provide a lot of information to and they have a lot of information about us because they handle our financial information. They know how much we are worth, they know how much we have on deposit and they know how much we owe on our mortgages. They are pretty deep as far as what they understand about us.
There are all kinds of small businesses here, as well, that we need to apply. I want to read from this legislation something that should scare any small business person. This is about privacy management programs as required under this legislation. It states:
Every organization must implement a privacy management program that includes the organization's policies, practices and procedures
It further states:
the organization must take into account the volume and sensitivity of the personal information under its control.
What does that mean and how do we interpret that? Further, an organization:
must ensure, by contract or otherwise, that the service provider provides substantially the same protection
They have to ensure something nebulous is provided by their service provider when forwarding information.
Let us get on the ground here. Someone can walk into a pharmacy and that pharmacy wants the Alberta health care number, which is private government information. The retailers want that information so they can continue to track certain things someone does. They know how much of a person's spending they have and they know how much they can market other products to that person if getting some kind of prescription. Government data is quickly translating over into retail data. That is not exactly something we want to provide.
I will go further here because seniors are the people most affected by this. There are so many seniors who are bearing the brunt of the pandemic. There are issues we go through as we age, including financial institutions, insurance companies and all service provides. Many take advantage of seniors in many respects because things get very complex. We want to make sure our seniors are taken care of in a system that continuously evolves, advances and gets more complex. That is something this legislation should take care of more than anything else.
I do not like being just critical. There are also good things in this legislation and I am going to point them out. The purposes of this legislation are that an organization must determine:
each of the purposes for which the information is to be collected, used or disclosed and record those purposes.
The information for consent is also required. Forms of consent are also defined within. The withdrawal of consent is there, as is the disclosure to cease that actual consent.
Another good thing is there is a period for retention and disposal of data that we provide organizations. An organization must not retain personal information for a period longer than necessary. These are very good advances in the legislation. I thank the drafters of the legislation for that.
I have questions on some of the other parts of this legislation as well. On the transfer of information to service providers, organizations may transfer an individual's information to a service provider without the client's knowledge or consent. They would still be monetizing data that gets collected by one retailer or provider and—