Mr. Speaker, it is a great opportunity to rise today to speak to Bill C-11.
We are surrounded by data that seems to be out of control, lost by corporations, sometimes stolen from governments. Data that we voluntarily give up about ourselves is being collected billions of bytes at a colossal rate. It has a tremendous impact on our privacy and what is being calculated or inferred about us in our daily lives, such if we have a good credit rating, or if we can buy a car or when we go for drinks with a colleague. All of this is very much apparent today, particularly during this health crisis when people are definitely at home and using the Internet to a greater extent.
Everything we do today has some impact on data. Whether we take an Uber or order a meal, that data is collected. Quite frankly, we need to ensure people's privacy is protected.
Why does privacy matter? It is a question that has arisen in the context of this global debate, made worse by this pandemic, where millions around the world have come to rely on computers to carry out a function for their very lives. When we hear arguments about Internet privacy. A lot of what we hear about this mass surveillance is that there is no real harm due to this large-scale invasion, that people have nothing to hide. Those engaging in bad acts have a reason to want to hide and care about their privacy.
This is presupposed on the assumption that there are good and bad people in the world. Bad people who plot to take down governments and plan public attacks are the people who have reason to care about their privacy. By contrast, there are good people, people who go to work, pay taxes, care for their children and use the Internet, not to plot civil destruction but to read the news and find recipes. These people are doing nothing wrong and have no reason to hide.
In a 2009 interview of the long-time CEO of Google, Eric Schmidt, when asked about the different ways his company was causing the invasion of privacy for hundreds of millions of people around the world, he said, “If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.” There are many issues with this statement, one being that this is the very Eric Schmidt who blocked his employees at Google from speaking with the online Internet magazine CNET after it published an article full of personal private information, which was obtained exclusively through Google search and Google products.
A few short decades of the Internet, once held as an unparalleled tool of democracy liberalization, have been converted into an unparalleled zone of mass indiscriminate collection. Enter 2018, when the EU has set the global standard for privacy regulation with the flagship general data protection regulations, known as GDPR, signalling to Canada that our 1990s era of the Personal Information Protection and Electronic Documents Act did not have the teeth to take on big tech.
Bill C-11 would bring in additional privacy regulations. Replacing PIPEDA with CCPA would provide an opportunity for greater detail within the law rather than just relying on the interpretations of the Privacy Commissioner. This is a good thing.
The structure will include a personal information and data protection tribunal that will play a key enforcement role by reviewing all commissioner decisions and issue penalties for non-compliance. There will be an expert tribunal composed of three to six members, but interestingly enough it says there may be only one expert, which may be a deficiency in the act.
What are these new privacy rights? One is data mobility. Subject to regulations, on the request of an individual, an organization must, as soon as feasible, disclose the personal information that is collected from an individual and to an organization designated by the individual. Data mobility is a fact of life and this is a good thing. What format that data will be transferred in will need to be discussed.
On algorithmic transparency, if the organization has used an automated decision process to make a prediction or recommendation, then the organization must, on the request of an individual, provide an explanation of the prediction, recommendation or decision and the personal information that was used to make the prediction. It seems like a reasonable intent and is something it should be able to do without giving up the code.
With respect to de-identification, the bill states:
An organization that de-identifies personal information must ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified...
Then there is the new enforcement. The Privacy Commissioner of Canada will have the order-making power that will enable the office to order compliance with the law and recommend significant penalties.
I should mention I will be sharing my time with the member for Calgary Centre.
In some cases, the recommended penalties are the highest in the G7, so they are significant. The expanded range of offences for contraventions of the law are a maximum fine of 5% for a global revenue of $25 million. There are administrative penalties as well.
One of the issues I see with this is that the legislation and penalties invoke fear, but there will be a question of whether there is adequate teeth for enforcement.
The law includes whistleblowing provisions that protect those who have disclosed alleged privacy non-compliance and a private right of action that will allow individuals to seek damages for loss or injury suffered through privacy violations.
There are new standards of consent. This has been a big issue for individuals. How many people have signed up to a site, with three pages of disclosure to which they are supposed to consent? I would argue that very few people will actually read that kind of detail. Therefore, there is an attempt within the legislation to use clear language and simplified consent. Given the depth of the legislation, that may be a difficult thing to achieve, but is a worthwhile goal.
Deceptive practices to obtain consent with false or misleading information renders the consent invalid and individuals can withdraw their consent at any time. There is the question of whether people are providing consent for multiple activities or just an individual activity. That should be clarified.
The realm of data is largely uncharted territory and we find ourselves asking the question of who owns our data. Our opinion is that people own their data and they should own their data.
The word “consent” is mentioned 108 times in the GDPR. In the first reading of Bill C-11, it was mentioned 118 times. This sounds great. Who could possibly be against the consent of data? Challenging consent seems counterintuitive in the world of privacy because it is so linked to us and our autonomy. However, it is both impractical and undesirable and serves to explain why our privacy law is in such a sorry state. It is imperative the legislation is written with as little room for interpretation as possible.
There are some standards within that bill. It states:
An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for a business activity described in subsection (2)...
Under that subsection, it states:
(a) a reasonable person would expect such a collection or use for that activity; and
(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
The issue is this. If that is subject to interpretation, we could have a pretty broad interpretation of what it says. Hopefully this act, with the regulations that follow, will clearly define what is in and what is out.
At the end of the day, if we are using services, many services are disrupting, shaping and helping our lives in ways we could not have possibly imagined mere decades ago. Whether we like it or not, it is big tech that has provided these realities for us and the government should, as with any other key stakeholder, create meaningful, effective and collaborative policy but require consultation. It is one thing to consult in front, but now that we have legislation, we need to ensure we get it right. We need to ensure that industry, particularly small businesses, remain competitive. The bill is being sent for review to the privacy and ethics committee. There is a strong argument that industry committee should have a look at this bill as well.
Therefore, proper consultation must happen. There is nothing wrong with doing that. I hope the government will ensure the bill is properly consulted on.