Mr. Speaker, it is always a privilege to rise on behalf of the residents of Kelowna—Lake Country. Today we are debating Bill C-27, an act that would enact the consumer privacy protection act, the personal information and data protection tribunal act and the artificial intelligence and data act.
Canadians know we no longer live in the year 2000, but unfortunately much of our digital regulation still does. We have come a long way since Canadians' primary online concern was Y2K. The last time Parliament passed a digital privacy framework was PIPEDA, or the Personal Information Protection and Electronic Documents Act, on April 13, 2000. The most popular website in Canada that month was AOL.
When Parliament last wrote these regulations, millions of homes did not have dial-up, let alone Wi-Fi. Cellular phones lacked apps or facial recognition, and people still went continually to libraries to get information, and did not have the Alexas of the world as an alternative. They also called restaurants directly for delivery. Digital advertising amounted to flashing banners and pop-up ads.
In only 22 years, we have experienced a paradigm shift in how we treat privacy online. Personal data collection is the main engine driving the digital economy. A Facebook account is now effectively required to use certain types of websites and help those websites; a laptop can create a biometric password for one's bank account, and Canadians are more concerned about privacy than ever before.
One of the most common videos I share with residents in my community of Kelowna—Lake Country is one relating to privacy concerns during my questioning at the industry committee in 2020, as many people reached out to me about privacy concerns. It was to a Google Canada representative regarding cellphone tracking. This was in the immediate aftermath of reports of Canadians' cellphone data being used to track people's locations during the pandemic.
Cellphone tracking is something I continue to receive correspondence about, and I am sure other members in the House do as well. As traditionally defined, our right to privacy has meant limiting the information others can get about us. The privacy of one's digital life should be no different from the physical right to privacy on one's property. Canadians must have the right to access and control the collection, use, monitoring, retention and disclosure of their personal data.
Privacy as a fundamental right is not stipulated in the legislation we are discussing today, Bill C-27. It is mentioned in the preamble, which is the narrative at the beginning, but that is not binding. It is not in the legislation itself. While the degree to which someone wishes to use this right is ultimately up to the individual, Parliament should still seek to update the rules using detailed definitions and explicit protections. Canadians are anxious to see action on this, and I have many concerns about this legislation, which I will outline here today.
As drafted, Bill C-27 offers definitions surrounding consent rules to collect or preserve personal information. It would mandate that when personal information is collected, tech companies must protect the identity of the original user if it is used for research or commercial purposes. The legislation outlines severe penalties for those who do not comply and would provide real powers of investigation and enforcement. It presents Canada's first regulations surrounding the development of artificial intelligence systems.
Even though Bill C-27 presents welcome first steps in digital information protection, there is still a long way to go if we are to secure digital rights to the standard of privacy regulation Canadians expect, and most importantly, the protection of personal privacy rights. As is mentioned in Bill C-27, digital privacy rights are in serious need of updating. However, they are not in this legislation.
I agree with the purpose of the legislation, but many of my concerns are about inefficient, regulatory bureaucracy being created and the list of exemptions. Also, the artificial intelligence legislation included in this bill has huge gaps and should really be its own legislation.
From a purely operational perspective, while the legislation would empower the Privacy Commissioner's office with regard to compliance, it also constructs a parallel bureaucracy in the creation of a digital tribunal. If Bill C-27 is enacted, Canada's Privacy Commissioner can recommend that the tribunal impose a fine after finding that a company has violated our privacy laws. However, the final decision to pursue monetary penalties would ultimately rest with the new tribunal. Will this result in a duplicate investigation undertaken by the tribunal to confirm the commissioner's investigation?
As someone who has operated a small business, I am all too aware of the delays and repetitiveness of government bureaucracy. While it is important to have an appeal function, it is evident in this legislation that the Liberals would be creating a costly, bureaucratic, regulatory merry-go-round for decisions.
Canadians looking to see privacy offenders held accountable need to see justice done in a reasonable time frame. That is a reasonable expectation. Why not give Canada's Privacy Commissioner more authority? Of course, Canadian courts stand available. The EU, the U.K., New Zealand and Australia do not have similar tribunals to mediate their fines.
In addition to concerns about duplications of process, I am worried that we may be leaving the definitions of offending activity too broad.
While a fairly clear definition in Bill C-27, which we are debating here today, has the consent requirement for personal data collection, there is also a lengthy list of exemptions from this requirement. Some of these exemptions are also enormously broad. For example, under exemptions for business activities, the legislation states:
18 (1) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of a business activity described in subsection (2) and
(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
On plain reading, this exemption deals more with the field of human psychology than with business regulation.
Also in the legislation is this:
(3) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use
There is also an exemption to consent that would allow an organization to disclose personal information without the individual's knowledge or consent for a “socially beneficial purpose”. This is defined as “a purpose related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.” Who determines what constitutes a socially beneficial purpose? This sounds incredibly subjective, and I have a lot of concerns when legislation is this vague.
Let me give a very simple example. Suppose a person using a coffee company app occasionally adds flavourings to their coffee while doing a mobile order. That company could recommend a new product with those flavourings already in it while a person is not physically in their business. Is this not personal information that is collected and used for the purpose of influencing an individual's decision, as in this legislation?
This example is not hypothetical. In an investigation from actions in 2020, Tim Hortons was caught tracking the locations of consumers who had the app installed on their phones even when they were not using the company's app. Tim Hortons argued that this was for a business activity: targeted advertising. However, the report from the federal Privacy Commissioner found that the company never used it for that purpose. Instead, it was vacuuming up data for an undefined future purpose. Would Tim Hortons have been cleared if the current regulations in Bill C-27 were in place and if it had argued that the data was going to be used for future business activity or for some socially beneficial purpose, which is an exemption in the legislation?
While I worry about the loopholes this legislation, Bill C-27, may create for large corporations, I am equally concerned about the potential burden it may place on start-ups as well. This legislation calls for companies to have a privacy watchdog and to maintain a public data storage code of conduct. This is vital for companies like Google, Facebook or Amazon, which have become so integral to our everyday lives and oversee our financial details and private information. Having an officer internally to advocate for the privacy of users is likely long overdue. However, while that requirement would not put much financial burden on these Fortune 500 companies, it could undermine the ability of Canadian digital innovators to get started.
Canada has seen a boom in small-scale technology companies for everything from video game and animation studios to wellness or shopping sites for almost every good or service one could imagine. Digital privacy laws should be strong enough to not require a start-up with just a few staff to have to be mandated to have such a position internally. We should ensure that a concept of scale is appropriately applied in regulating the giants of today without crushing the future digital entrepreneurial spirit of tomorrow.
I would like to address the presence of Canada's first artificial intelligence, or AI, regulations in this bill. While I do welcome the progress on recognizing this growing innovation need for a regulatory framework, I question whether it is a topic too large to be properly studied and included in this bill. In just the last few months, we have seen the rapid evolution of the ability of AI to create an online demand digital artwork, for example, thanks to the self-evolving abilities of machine learning.
The impact of AI on everything from our foreign policies to agriculture production is evident. Computer scientists observed a phenomenon known as Moore's law, which showed that the processing power of a computer would exponentially double every two years, and in the 57 years since this was proposed, this law has apparently not been broken.
I am concerned that most of the rules around AI will be in regulation and not in legislation. We have seen the Liberals do this many times. They do not want to do the hard work to put policies into legislation that will be brought to Parliament and committees to be debated and voted on. They prefer to do the work behind closed doors and bring forth whatever regulations they want to impose without transparency and scrutiny. We have seen the Liberals conduct themselves many times in this way.
Experts in the field have already made the case that Bill C-27 falls seriously short of the global gold standard, the EU's 2016 General Data Protection Regulation. Canadians deserve nothing less.
Though Conservatives agree with the premise of strengthening our digital privacy protection, this bill has many concerns and gaps. Clause 6 outlines that privacy protections do not apply with respect to personal information that has been anonymized. To anonymize is defined in the legislation as “irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.”
There are a lot of risks around this. Under this legislation, information could be disclosed in numerous ways, and that is very concerning. This goes back to what I mentioned at the beginning of my speech with respect to my questioning of Google Canada early in the pandemic about tracing the locations of people through their phones and sending it to the government.
The legislation creates more costly bureaucracy. It does not protect personal privacy as a fundamental right. It has questionable exemptions to protect the privacy of people based on ideologies. It allows the government to create large areas of regulations with no oversight or transparency and it is far from the gold standard that other countries have.