Mr. Speaker, I am pleased to joining the debate on Bill C-11.
“One who wants to know is better than one who already knows” is a Yiddish proverb, and members know I have a great love of them.
However, I want to go through the legislation before us, because a lot of constituents have written to me with major concerns. It is not that they dislike the legislation per se. They agree, as many members have said, with the principles and content, but the bill falls far short of their expectations.
As the member for Cypress Hills—Grasslands has said, it is an issue of control, who controls the information. My personal belief is that property rights are a human right, and our digital presence, our cookies, the way we look is their digital private property and it should really be treated that way. We have a come to time where we should extend our conception of what is a property right to our digital presence.
I remember knocking on doors in Mahogany in my riding. A gentleman who worked for a large IT company was very concerned about deepfakes, the ability for people to create some really lifelike images, voices and mannerisms of other individuals and the possibility for it to be used for a nefarious purpose, to mislead, misdirect and also to get money out of people. Imagine what type of use people could get out of deepfakes. I think of the past few years where we have seen a lot of companies make immense strides in providing a digital picture of people who never existed, but they look so lifelike that it is so difficult to tell if they are actually deepfakes. They trick our eyes and brains to think they exist.
On the issue of control, I have had constituents bring up issues of Clearview AI harvesting through facial recognition technology, the Cambridge Analytica and Facebook scandals. Closer to home in Calgary, is Cadillac Fairview and what constituents have termed “secret mall surveillance”. There was a panel put up in different parts of the mall, one of the biggest malls in Calgary, that were collecting information off the images of people going in. I cannot remember what the purpose was, but it was stopped once many people started to raise issues with what the information was being collected for.
It is an issue of control. There are principles in this digital charter, and I do not want to go over them too much. However, I want to raise issues specific to things like the right to opt out of the sale of personal information. That is a really big one. The GDPR does this already as does the European Union.
Sometimes when people go online, depending on the country source for the product or service purchase, after having clicked through terms and agreements, because many people do not read those, it will ask whether they are opting out of the sale of their personal information. That is missing in this legislation, and it really should have been in there.
Many constituents, like Chris MacLean in my riding, raised this as an issue, saying that they would like to have more control to consent to where their information would go. I could imagine certain situations where people are fine with their personal information being sold, perhaps some of what they give a particular company is not much and they feel it could have some type of purpose or there could be some controls put in place. However, this legislation does not have that.
Then there are the consent exemptions. I want to focus a little more on this one. This issue has been of major concern to people in my riding. As I mentioned, Chris had issues with it, Kevin Silvester, Shelley Bennett and Randall Hicks had issues with it. There is a lot of them. The issue is “for a public interest purpose” is how the government has defined it, that is socially beneficial purposes, clause 39 is one of them.
It kind of lists off government institutions, public libraries, post-secondary educational institutions, any organization that is mandated under federal-provincial law or by contract with a government institution. What if it contracted out a large government youth program, like the WE charity, and then it ran it. What kind of personal information would be collected? I know it has been embroiled in its own scandals of late. The ethics committee met this morning and discussed it even further.
It continues on to point four. This is subparagraph 39(1)(b)(iv) under the disclosures made to any other prescribed entity. Then there is paragraph 39(1)(c), the disclosures made for socially beneficial purpose. That is such a broad definition. Who gets to decide what is a socially beneficial purpose? I could drive two Hummers through that definition, working for a contracted out organization, perhaps collecting information, processing a program, a service on behalf of the federal government. I have major issues with the way that is structured, because it allows so many exemptions to be provided in interactions.
When we read about these organizations, it is a lot compared with any other prescribed entity. There are no limits on this prescription. There are no limits on what the federal government could prescribe as an outside entity and then our information would be shared with them. That is a consistent concern that my constituents have. They mostly focus on the business angle of it, but we know that the federal government oftentimes has a lot of contracting out of services, including IT services and procurement services. For the construction of ships, for example, the government does not own shipyards; it contracts that service out and asks someone else to do it for the government. When they do that, is there not a possibility, because it is for a socially beneficial purpose, that the federal government could decide just to share information quite broadly? I have an issue with it because I do not think it does a great service for Canadians.
There is another issue I have with one of the definitions provided. It is the definition being used in the law for how personal information is defined. It says, “an identifiable individual”. The example that I gave, that many of my constituents give as well, is an example from Calgary when, years ago, Cadillac Fairview, which owns the Chinook Centre in Calgary on the Macleod Trail, was using facial recognition and surveillance information. Maybe they were just tracking the flow of pedestrian traffic through the mall, perhaps to plan where the doors should be; I do not know this, but if the benchmark being used in the definition is “an identifiable individual”, how much effort is a company going to put in to identify someone? That is what makes it identifiable. When I read through the legislation, I have a hard time grasping how far this could go. Is there an expectation that the companies will not keep this information at all because they did not make it identifiable, so it is okay? Is it because the image is too grainy? Is it because their name is so common that it could be just about anybody? It is an imprecise definition that could have really been beefed up from the beginning instead of taking it to committee in such an incomplete format.
Those are the issues I found, just reading through the legislation and after so many of my constituents wrote to me. They still have major issues. What they want to see is a significant number of amendments brought forward to fix the legislation. There are a few ways to do that. The government could just draft a new piece of legislation and table it again and have it go forward. There are a lot of good things in the bill, like many members have said, that make it salvageable.
At the committee stage, that is where they get into it. I do really believe this should go to the industry committee. It may want to bounce the bill around to the different committees. I used to sit on the Standing Committee on Finance in the previous Parliament, and the government would apportion the omnibus budget bill to different committees and look at the parts in order to have the expertise. So much of this is about corporations and businesses that it should really go to the industry committee. Again, it is the industry minister who has tabled the law.
On the issue of identifiable information, the definition should include such information as people's email address, obvious personal information like location information, gender, biometric data, web cookies, political opinions and any pseudonyms they might use so the company or the organization that is collecting it can combine it all together. It does not have to be a private organization; it could be a public one, it could be a charity doing this; who knows? That could have been a much better definition than simply leaving it very open-ended as “an identifiable individual”.
Another matter that a lot of my constituents have raised is the playing field between a Canadian company based here where Canadian law can easily reach it with the fines that would be levied; and then international companies, perhaps based in Latin America, in parts of Africa, in Australia and other countries that have different privacy laws and how we would be able to find them and also collect the fines on them. That whole mechanism and the fact of a tribunal of three to six people and only requiring one expert is another issue.
I have tried to lay out as many issues as I have heard from my constituents in my riding. I mentioned that some of them had very specific concerns.
Much of the legislation is on the right path, but there are so many shortcomings. Like the previous member said, the issues here are data privacy and control, regarding who controls the information and where it can go and that the legislation is still unclear in certain parts, regarding who can deal with it; and exemptions and exceptions being given. Those two different concepts need to be fleshed out more in the legislation. It should be done at committee. It should be done at the industry committee first. If it needs to go to the ethics committee afterwards, so be it; but the industry committee should deal with it first, immediately.