Madam Speaker, data is used for good and data is used for evil. Data is money, data is power and data is knowledge. Data can improve our lives. Data can also harm our lives. Data tells the story of our lives, and our personal data flows globally. The amount of data in the world has doubled since 2020 and is expected to triple by 2025 according to Statista, 2022.
To understand why we need modern privacy rights in the digital world, it is important to understand that businesses have evolved from providing a specific service, like a social network such as Facebook and Twitter or a search engines such as Google or Microsoft to find things, to using data to gather information on individuals and groups, to manage and deploy people's data and to sell their information to others and sell them goods and services.
We have evolved from businesses providing these services for interest to businesses using these services for surveillance on us and making enormous amounts of money on our personal information. As legislators, we must balance the uses of data collection with an individual's right to privacy. It is a delicate balance that Bill C-27 aims to address by modernizing our privacy laws.
At the heart of this long overdue revision to our privacy laws must be the rights of the individual. In my view, commercial usage of data under privacy law should be secondary to personal privacy, and should only be focused on how business interests enhance personal needs and how commercial entities protect individual privacy rights. My remarks today will focus on why this legislation falls far short of what individuals, groups and businesses need for a clear legislative framework of data collection and management of personal information in this digital age.
First, Bill C-27 is really three bills in one omnibus bill. The first bill would update privacy law. The second bill contains a new semi-judicial body and would potentially duplicate what the Privacy Commissioner could do while removing the right to go to the courts. The third is a rushed bolt-on bill on artificial intelligence that does not, in my mind, have much intelligence in it. The Liberal legislation manages to weaken privacy and put up barriers to innovation at the same time.
Bill C-27 fails Canadians right up front in its preamble. Despite demands from privacy advocates over the last few years, the government has failed to recognize privacy as a fundamental right in the preamble. The bill states that individuals' personal information should have the “full enjoyment of fundamental rights”. This is clever language that avoids giving personal privacy the recognition that it is a fundamental right or a fundamental human right.
The wording “full enjoyment of fundamental rights” in the preamble needs to be amended from “of fundamental rights” to “as a fundamental right”. Furthermore, leaving this strictly in the preamble reduces if not eliminates any real legal impact. If privacy is a fundamental right, for it to have true force in this bill it needs to be included as well in clause 5, which notes the purpose of the bill.
Why is privacy a fundamental right? Freedom of thought, freedom of speech and freedom to be left alone are derived from privacy. The legal protections of privacy limit government's intrusion into our lives. In free and democratic societies, we consider these freedoms as essential rights. The rights to think what I want, to say what I want and to be free to choose what I do, what I am interested in and whom I interact with and where I do that in our digital world are data points. To me they are personal information and therefore are part of a fundamental right to privacy.
What does this mean? It means privacy rights under law are prioritized over commercial rights. A rights-based approach serves as an effective check on technology's potential dangers while ensuring businesses can function and thrive.
Government officials have told me this cannot be recognized in the bill the way it needs to be to have true meaning under law and force because it would intrude on provincial jurisdiction. I do not agree, and neither does the Privacy Commissioner of Canada. Both levels of government can regulate privacy and do. The federal government's role is to regulate aspects under its control, including the fact that commerce does not follow provincial boundaries and therefore requires federal oversight.
I believe that most Canadians accept and expect their data to be used to enhance their experiences and needs in our modern society. I also believe that for organizations to obtain the data of Canadians, Canadians must first consent to it, and that if these same organizations find new uses of our data, they need to get express consent as well. Canadians want their data safely protected and not used for things they did not give permission for, and if they choose to end a relationship with a service provider, they want their personal data to be destroyed.
I do not believe Canadians want their personal data sold to other entities without their express consent, and how does Bill C-27 deal with these expectations of Canadians? I think poorly. The legislation, in the summary section, states that the dual purpose of the bill is to “govern the protection of personal information of individuals while taking into account the need of organizations to collect, use or disclose personal information in the course of commercial activities.” What it would not do is place personal privacy rights above commercial interests.
The bill would require express consent in clause 15, and that is true, but a great deal of the bill goes on to describe the many ways in which consent would not be required and how it would be left up to the discretion of the organization that has collected the data if it needs consent for its usage. The bill is also weak in terms of making sure individuals understand consent when given. For consent to be meaningful, the usages proposed must be understood. The lack of definition and the placement of burden of interpretation on businesses expose those same businesses to legal action and penalties if they get it wrong. This lack of clarity may stifle innovation in Canada as a result. The bill needs to ensure that individuals understand the nature, purpose and consequences of the collection, use and disclosure of the information to which they are consenting.
In addition, the bill would give organizations the right to use information in new ways and would require businesses to get an update to consent for this information. That is good and necessary, but the bill would also enable organizations to use the implied consent in subclause 15(5). When combined with paragraph 18(2)(d), this would give businesses carte blanche to use implied consent rather than express consent.
An organization can decide on its own that the original consent implies consent for a new purpose, and they do not need to seek the individual's views. This is a version of the old negative option marketing that was outlawed in the 1990s. Either someone gives consent, or they do not. There is no such thing as implied consent, in my view, and this needs to be removed from the bill.
Additionally, the bill uses the term “sensitive information”, which companies and organizations must determine to protect data, but it does not anywhere in the more than 100 pages define what “sensitive information” is. It needs to be defined in the bill to include information revealing racial and ethnic origin, gender identity, sexual orientation and religious and other affiliations. These are just a few examples.
However, that is not the worst of it. Bill C-27 would introduce a concept called “legitimate interest”. This is a new rule that would rank an individual's interests and fundamental rights below those of the organization that gathered the information, the exact opposite of what a personal privacy bill should do. To do this, subclause 18(3) would allow an organization or business to use information if it has a legitimate interest in doing so. However, here is where it really gets goofy: To try to reduce businesses using our data under the legitimate interest clause for their own needs over ours, the Liberals have decided to limit the power under paragraph 18(3)(b). This clause could prohibit the business or organization from using our information for the purpose of influencing behaviour.
For more than 20 years, since the invention of loyalty and rewards programs, retailers have used people's data to offer products they might enjoy based on their purchasing patterns. Have members ever bought wine online or in store because it said, “If you like this, you might enjoy this alternative”? Have members ever watched a show on Netflix because it was recommended? Have members ever listened to a song on Spotify because it was recommended based on what else they had listened to? Well, guess what. Paragraph 18(3)(b) could now make this service illegal.
The Liberals cannot get express consent right, and they are allowing companies to use people's data with implied consent or no consent at all. The Liberals are also putting the business use of people's personal data above their privacy rights. That is why it is really the no privacy bill. At the same time, the Liberals are making illegal the good parts of what businesses do in enhancing the customer experience by removing the ability to study purchasing patterns and offering products that we might enjoy because of paragraph 18(3)(b). This bill makes influencing people's decisions illegal.
The minister said to me and mentioned in the House in his opening speech on the bill, as have other members today, that he is proud to be protecting children from harm in this digital bill. This 100-page legislation has only one clause related to children. Subclause 2(2), under “Definitions”, states that “information of minors is considered to be sensitive”, but the bill does not define “sensitive” nor does it define what a minor is. Officials tell me that the definition of a minor is determined by provincial law, so each province would have different rules, and companies would have to comply with the different rules in every province.
If the protection of children were really a major purpose, this legislation would devote some space to defining both what a minor is and what sensitive information is. During COVID, minors used many online apps and programs to continue their formal education. There were then and still are no protections under law as to what is done with their data. This technology would be a new normal for our education system. The online surveillance of children resulting from the COVID experience is huge and protections are zero, even with this bill.
This bill needs to define in law, not regulation, age-appropriate consent for minors, and comprehensive rules to prevent the collection, manipulation and use of any minor's data. This bill leaves it up to businesses to decide what is sensitive and appropriate for minors. It is a colossal failure on the minister's main selling point for this no privacy bill.
The bill is silent on the selling of personal data. It needs provisions on the limits and obligations of data brokers. The bill is silent on the use of facial recognition technology. The bill also prohibits using data in a way that produces significant harm and defines it inadequately. For example, psychological harm caused by a data breach and embarrassment caused by privacy loss are not included. The damages role needs to be expanded to include moral damages, since most contraventions of privacy do not involve provable, quantifiable damages.
Creating more government bureaucracy and growth is the true legacy of the Liberals in government. This bill is no exception, with the creation of a body to appeal the Privacy Commissioner's rulings to. The appointed new body of non-lawyers is called the personal protection and data tribunal, and it is the second part of the bill. Frankly, these powers, if they really are important, should be given to the Privacy Commissioner to eliminate the middle man of bureaucracy. There is no need for this tribunal.
Finally, let us turn to the ill-conceived, poorly structured and ill-defined artificial intelligence part of Bill C-27. It really needs to be removed from this legislation and puts this bill's passage into question. AI is a valid area to legislate, but only with a bill that has a legislative goal. That is why I am hopeful that the Speaker will rule in favour of the NDP's point of order, reiterated by our Conservative House leader, which would ensure that part 3 of the bill is voted on separately from part 1 and part 2.
Essentially, this part of Bill C-27 would drive all work on AI out of Canada to countries with clearer government legislation. It tells me the government has not done its homework, does not really know what AI is or will become, and has no idea how it will impact people in our country.
The bill asks parliamentarians to pass a law that defines no goals or oversight and would give all future law-making power to the minister through regulation, not even to the Governor in Council but to the minister. The minister can make law, investigate violations, determine guilt and impose penalties without ever going to Parliament, cabinet or any third party.
It is a massive overreach and is anti-democratic in an area critical to Canada's innovation agenda. Promises of consultation in the process of crafting regulations is too little, too late. It puts too much power in the hands of unelected officials and the minister.
The definition in the bill of what AI is, and therefore what it wants total regulatory power over, is a system that autonomously processes date related to human activities using a genetic algorithm, a neural network, machine learning or other networks to make recommendations or predictions. If we think this is futuristic, it is not. It is already happening in warfare to determine and execute bombings.
Without parliamentary oversight, the bill introduces the concept of “high-impact systems”. It does not define what that is, but it will be defined in regulation and managed in regulation. No regulatory power should ever be given to the minister or the Governor in Council for anything that is not defined in law.
The only thing the bill defines is the unprecedented power to rule all over this industry and the fines to those who breach the unwritten regulations. The massive financial and jail penalties that extend down to the developers and the university researchers for undefined breaches of law as part of the statute are huge.
Unless this portion of the bill is separated when members vote, this AI section is reason alone that the bill should be defeated. AI is a significant need, but it needs a proper legislative framework, one that is actually developed with consultation.
I urge all members to read the bill carefully. Current privacy laws need amendment, but the current law is preferable to this ill-defined proposal. The AI bill would drive innovation and business out of Canada's economy, making us less competitive.
It is hard to believe anyone could get this legislation so wrong, especially since this is the second time the Liberals have proposed updating our privacy laws. Without splitting the bill, without having separate votes and without considerable amendments in committee in the first two parts, the bill should be defeated.
I urge all members to consider this seriously in their deliberations as we go on to the many speeches that we will hear. While this is a critical point of updating our personal privacy, the bill, in its current state, does not do it and it gives equal if not greater rights to businesses and organizations than it does to individuals.