Mr. Speaker, I will be splitting my time with the member for Willowdale.
We increasingly live our lives online and our laws need to reflect that reality. Privacy is a human right and it is inextricably connected to our personal autonomy.
The Council of Europe's Convention 108 states, “The purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy.” The GDPR states, “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”
The incredible scale of data collection can be a powerful force, both for good and bad, so we need strong privacy and digital rights and a strong regulator to enforce them.
There is much in our government's Bill C-11, which is a serious reform of PIPEDA and certainly long overdue. I remember in June 2018, I introduced legislation simply to give the Privacy Commissioner new powers, which our privacy committee had twice unanimously recommended. We have come a long way since then with this substantive bill. OpenMedia said, “Bill C-11 is a big win for privacy in Canada.”
While I have heard some reflections from experts and certainly from some parliamentary colleagues already about how the bill can potentially be improved, or some open questions about what might need to be fixed, it is certainly deserving of our support at second reading. I look forward to working with colleagues across party lines to improve the legislation at committee where we can.
At this point, to work at committee across party lines something of a detour is required. I want to specifically commend my Conservative Party colleagues from Prince George and Thornhill, my NDP colleague from Timmins—James Bay and my Liberal colleague from Kitchener Centre. We worked very long and hard on privacy issues in the last Parliament. We helped found the International Grand Committee, comprised of over 10 countries, to discuss these issues. We hosted the second meeting of the IGC in Ottawa. We tabled the report “Towards Privacy by Design” in February of 2018.
When we as parliamentarians talk about committee work and often the overlooked nature of the committee work, we do not always see that committee work turn into legislation. In this instance we have.
We recommended stronger consent rules and we see stronger rules in Bill C-11. We recommended algorithmic transparency and we see in Bill C-11 a commitment on transparency where systems are used to make predictions, recommendations or decisions about consumers. We recommended data portability and interoperability. We see those commitments in Bill C-11.
We see stronger powers for the Privacy Commissioner. I mentioned that need for a strong regulator, including order-making, auditing and the ability to levy fines. We see order-making powers. We see the ability to audit. We see a new tribunal, and while I understand some of the caution or questions members are raising in respect of this design, it is consistent with the competition commissioner and tribunal operations and worth looking at more seriously to see if it can be approved. However, through the tribunal, we see the ability to levy significant fines, in the magnitude of $10 million to a maximum of $25 million for more serious fines.
In terms of the course of that committee work, I want to reflect on a couple of stories about why this kind of legislation is so important and critical.
I think it was in the fall of 2017, when we were in the midst of the study on PIPEDA reform, that the member for Thornhill, the former member for Skeena—Bulkley Valley, I believe I am getting that right, and I went down to Washington and met with other elected representatives there. We witnessed some of the hearings in relation to the Equifax breach, but we also met with Facebook officials. At that time, when a question was put by I think the member for Thornhill as to what Facebook's views were on the potential new regulations, they said absolutely no new regulations were required in Canada due to the strong framework through PIPEDA and, if there were new rules, that might affect Facebook's willingness and interest in investing in Canada. Certainly, we have come a long way since those kinds of conversations and push-back by big tech companies against stronger privacy rules.
We saw that Mark Zuckerberg unfortunately did not attend before the IGC, though he said he would like to work with parliamentarians around the world, but we can certainly say that the days of self-regulation are over and asking for regulation. Here is that kind of regulation in Canada.
On consent, I have to tell one other story that happened at committee. Again, we had Facebook officials there. We were in the midst of going down the rabbit hole of the Cambridge Analytica scandal and the Canadian context of that third-party app, which had shared so much information. I think it was under 300 Canadians who had used the app, but thousands of Canadians had their information shared. I put to Facebook at the time, “How is it that on the basis of meaningful consent thousands of Canadians could have agreed that their friends share their information through this third-party app and then share it with Cambridge Analytica?” With a straight face somehow, a Facebook representative said to me that it was in their terms and conditions.
That speaks to the problematic nature of consent in the existing law and the lack of meaningful consent. Thankfully, our Privacy Commissioner, despite his current lack of meaningful powers, pursued that line of inquiry and found that Facebook violated our current laws and took the matter to court. We know that with stronger consent rules, there would have been no ability for a Facebook representative to say with a straight face that there was meaningful consent.
Plain language is important. I would go further, though, and say that as we think about consent, particularly in a consumer context, I think we ought to be more wary of privacy by default. We have to be more concerned about privacy by default. Where there is a reasonable expectation of the consumer that information is going to be shared and used in a particular way, then explicit consent, obviously, ought not need to be required, but where there are secondary uses, where there are uses beyond a reasonable expectation of that consumer then, certainly, we need explicit opt-in consent. It needs to be very clear to consumers how their information is to be used, if at all.
I want to emphasize the consumer context because it is a curiosity of privacy legislation and a curiosity of consumer protection legislation that when I purchase my phone I do not have to read the terms and conditions. There is no expectation by government that I read the terms and conditions, yet I am protected. There are implied warranties pursuant to consumer protection legislation. I do not need to read those terms and conditions in order for my rights to be protected as a consumer, yet there is an expectation when I download any app on my phone that I read the terms and conditions. That cannot be a tenable state of affairs if we want to protect consumers. We cannot expect consumers to read every term and condition, and every consumer contract in the course of downloading applications, and in the course of living their lives, as I said, increasingly online. Our laws need to reflect that reality.
There are obviously some straightforward fixes for this legislation. The membership of the tribunal should obviously have greater privacy expertise. I think that is a no-brainer. We do have to think more deeply through some of these consent rules and how we can strengthen them potentially further. I would like to see us go beyond algorithmic explainability to some kind of algorithmic accountability.
I know that others have mentioned political parties being left out. I do not know that political parties need to be subject to PIPEDA specifically, but they ought to be subject to privacy legislation. If there is no further effort under way by the government, then I think PIPEDA may well be the place to do that.
Lastly, I think we have to focus on children, in particular, when we look at consent rules and protecting kids on the Internet. Previously, I have written and spoken publicly about my support for our right to be forgotten, but I do think we have to be more focused on our rules and protection for kids as they grow up with the Internet and live their entire lives online.
I will close by simply saying that this is a big bill. This is second reading and, certainly, all of us ought to support this in principle. I look forward to working with experts and colleagues to strengthen the bill at committee and get into the details.