Madam Speaker, since there are no other questions and comments, I believe that shows that my colleague was very clear. I will try to be clear as well. The bar is high, but I will try to meet it.
Generally speaking, as my colleague said, this bill represents a step forward and addresses several of the Privacy Commissioner of Canada's requests. Quebeckers were profoundly shocked by the Desjardins data breach. It was a very significant event. However, it was not the only one. Similar incidents occurred in 2017 and 2018, and there have probably been dozens more that we are not aware of. In fact, when a bank's data is stolen, the bank is required to inform the police and the Privacy Commissioner of Canada, but it is not required to inform the public or even its customers.
We like this bill because it sets out a series of principles relating to the collection and sharing of personal information by companies: free and informed consent for the collection and use of data; the ability to allow or deny the transfer of data to another company, such as between two financial institutions; the ability to withdraw consent or request that data be deleted; transparency about the use of algorithms that use personal data; and stricter criteria for the use of de-identified data. This bill also gives real powers to Canada's Privacy Commissioner, sets out significant penalties for non-compliance, and creates the personal information and data protection tribunal. All of that is great.
Unfortunately, the problem is that the bill omits one extremely important element, and that is protecting people's identity online to prevent fraud due to identity theft, especially during financial transactions. We know that Europe has brought in a whole suite of regulations to force financial institutions to verify a person's identity before authorizing a transaction. There is nothing like that in Canada, and this bill does not have anything of the kind either.
The federal government is not properly verifying individuals' identity before authorizing electronic transactions. We know that the challenge is to prevent data from being stolen and used to commit fraud. Having personal data stolen is unpleasant enough, so all measures must be taken to ensure that the data are not then used for fraud.
The debate in Ottawa over the massive data breach at Desjardins mainly revolved around social insurance numbers. We know that several people would like to change their social insurance numbers, but under the current system, they cannot do so unless they become a victim of fraud resulting from identity theft.
In addition, the federal government has received a number of requests to redesign the social insurance card to make it harder to counterfeit, similar to what Ottawa did with passports after the September 11, 2001, attacks, at the request of the United States.
These two requests are perfectly reasonable. The Bloc fully agrees and is asking Ottawa to follow up. However, that alone will not stop fraud.
The best way to prevent identity theft is to make sure that the person who is making the transaction is indeed who they claim to be. This goes without saying. There are three ways to verify a person's identity.
First, a person can be identified based on what they know, namely personal information such as their name, address or social insurance number. However, as cases of identity theft are on the rise, it is getting harder and harder to accurately identify someone. In other words, our private information is no longer private when everyone can find out almost everything about us. Fraudsters can simply use this information to create a fake ID, and they are set.
Second, a person can be identified based on what they have, such as their computer's IP address, which the institution can recognize if the transaction is being conducted from the person's home, or their cell phone, to which the institution can send a secret code via text message.
Third, a person can be identified based on who they are. The institution can use technologies that recognize a person's physical characteristics, such as their voice, their facial features, through the use of facial recognition, their digital fingerprints, which are increasingly being used by cell phones, or their handwritten signature.
Europe adopted regulations in 2016 requiring financial institutions to use at least two of these three ways to identify someone before authorizing a transaction. Banks in Canada are under no such obligation. If they believe that the control mechanisms will cost more than the losses they are currently incurring in fraud, they are better off doing nothing. The banks will not pay for controls that would be more costly than the fraud. That is simply profit-driven logic.
Many members have probably had the experience of having a store issue a credit card on the spot, based solely on the personal information we provide. We just have to give our phone number, address, and so on, and that is all it takes. This practice really opens the door to fraud, and it has to stop.
We believe that the banks must be forced to tackle fraud. That is the solution that we are advocating. We are going to propose possible approaches. As my colleague was saying, we are going to support the bill, but we will be bringing forward amendments. We will have concrete, constructive and coherent proposals when the time comes to study the bill in detail.
We will propose ways to combat identity theft, such as by drawing on the European regulations I was talking about, in order to force the banks to bring in robust processes to verify people’s identity before authorizing a financial transaction. We will also propose to increase fines in order to encourage banks to better protect their customers’ personal information. We will propose that banks be required to submit a detailed report, as part of their annual reporting, on the number of identity thefts and the resulting losses.
We will also propose a requirement to contact any person whose identity has been fraudulently used within the organization, regardless of whether an account was opened or not. As I said earlier, there is no such obligation in place and it must be brought in. There is also an obligation to cover the costs paid by victims to recover their identity. These costs must be covered by the banks, which are rolling in a lot more money than individuals and most of their customers.
There also need to be anonymous tip lines for employees who are aware of unreported identity theft, as well as protection for whistleblowers. There is currently a void when it comes to whistleblower protection, as in virtually all areas. I am getting a little off topic, but the House will have to deal with this issue as well.
Ottawa also has to look in its own backyard. Beyond the banks, the same anti-fraud controls need to be imposed on the federal government itself. Bill C-11 applies only to private businesses. It does not apply to the federal government. Currently, Ottawa’s online identity controls are clearly inadequate. Before authorizing a transaction, the government does not take all the necessary steps to ensure that a claimant is who they say they are.
Since last spring, there have been numerous cases of identity theft. These include Canada emergency response benefit claims made in other people’s names and tax refunds being redirected to other accounts. Some people will not find out that they have been victims of identity theft until they file their income tax returns. It has not yet happened yet, but it will soon. In a few months, many people will discover that they have been victims of fraud. Right now, they have no idea. This is absurd, and it is unacceptable.
Again this fall, thousands of taxpayers lost access to their Service Canada account, which prevented them from applying for employment insurance even though they lost their jobs because their region was going back into the red zone.
It is all well and good to introduce a bill on the management of personal data by private companies. I want to stress that we agree on this bill and that we will vote in favour of it. That part is settled.
However, Ottawa needs to clean up its own backyard as soon as possible and take immediate action to combat identity theft. We are saying yes to regulating private businesses, but we are also saying yes to regulating Ottawa and the banking industry.